[Snort-users] Re: Is this a valid rule?

Phil Wood cpw at ...440...
Fri Oct 25 11:51:03 EDT 2002


> I have this rule in my local rule file:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity") 
>
> (It's to detect IRC traffic ;)
>
> Why does snort always choke on it? I've looked it over 100 times and it
> seems to follow the syntax.

Nope.

Put a ';' between the " and the ) like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity";)

Also, ports 6667 and 6668 are the default irc ports.

6000 - 60xx can be X server ports.  I used to see hacks every week back
in the dark ages where the cracker sent himself an xterm window on ports
6000-6007.

Just remember that ports are not really anything more than numbers from
zero to 65535.  You could have an ssh server listening on port 65535 or
scumbag.com sending you javascript to open up http connections to port 23
so they can learn more about your web preferences among other things.

Later,

Phil




More information about the Snort-users mailing list