[Snort-users] Newbie: Bot Detection Rule
vosipov at ...2096...
Fri Jun 22 04:15:03 EDT 2001
Brian Caswell wrote:
> George Yobst wrote:
> > I was just reading this article about how Gibson Research
> > was knocked off the net ( http://grc.com/dos/grcdos.htm ).
> > Near the end of the article was a section on detecting these
> > bots. As a new snort user, I can probably RTM and create
> > some rules that create an alert for ports 6667 and 113,
> > but how do I test it? -George
> oooooh a spy bot. WOW!!! You could write your own spy bot in some
> super leet language like TCL or something. Mad leet yo.
> Then you too can *STOP* those *EVIL* hackers!!!!
> Am I the only person that is tired of hearing about how Steve Gibson
> is the greatest anti-hacker in the world?
nope, but seems that you're the only one who's over-reacting :) btw,
Bruce Schneider has a very nice article about GRC in his newsletter -
and regarding rules - i never understood what's the use of logging all
packets going to unusual ports etc. So let's say, I've received a UDP
packet to port 666 - what am I supposed to do? Complain? (ever heard
about spoofing - especially if it's UDP?). That's why i like snort DB
logging - the only thing I can do is to log all that garbage to a
database to dig it sometimes if something really nasty starts...
> alert tcp any any -> any 6667 (msg:"Evil HACKERS!!! stop the evil
> alert udp any any -> any 666 (msg:"We are under *ATTACK* by UDP
> alert icmp any any -> any any (msg:"DoS!!! DoS!!! We are under
> attack by DoS!!!";)
heh, 3ViL L337 u :) don't be so bad to us lamers :)))
> .ps This is personal opinion only. I'm talking on the behalf of
> myself and myself only.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users