[Snort-users] Newbie: Bot Detection Rule

Chris Green cmg at ...671...
Thu Jun 21 17:52:37 EDT 2001


George Yobst <george at ...2364...> writes:

> Hi Craig,
> 
> Sorry about the appalling lack of info.  I'm running
> it on a FreeBSD 4.3 Stable with IPFilter as the FW.
> 
> My question comes down to this:
> The rule(s) I can create, but how do I actually test
> them to make sure they work?

Generate the traffic the rule is catching.

> I'm not up to creating fake bots.  I don't want to
> get one and unleash it on my network.  Is there
> a way to create packets with that port number that
> I can use to run thru Snort?  Something that will
> trigger the alert to make sure it works?

Telnet with the correct ports.  Use netcat.

> I don't care about Gibson, the man.  I do care about
> his research, and it's potentials.  I want to be
> prepared for this kind of attack and I don't want
> my organization's computers to be used by the Bots.

Try http://www.undernet.org/ or something like that and get a regular
irc client and try to connect to a server.  You will see identd
connections and you will see the irc signon process

You should be aware that not everyone that uses irc is a leet 15 year
old so you should see your organizations own policies before doing a
chicken little.
-- 
Chris Green <cmg at ...671...>
A watched process never cores.




More information about the Snort-users mailing list