[Snort-users] Re: Is this a valid rule?

Hicks, John JHicks at ...5857...
Fri Oct 25 12:06:24 EDT 2002


7001 is also a standard IRC port used for SSL communications.

John

-----Original Message-----
From: Phil Wood [mailto:cpw at ...440...]
Sent: Friday, October 25, 2002 2:47 PM
To: SLefevre_at_i-m-i-international.com at ...441...
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] Re: Is this a valid rule?



> I have this rule in my local rule file:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity") 
>
> (It's to detect IRC traffic ;)
>
> Why does snort always choke on it? I've looked it over 100 times and it
> seems to follow the syntax.

Nope.

Put a ';' between the " and the ) like so:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity";)

Also, ports 6667 and 6668 are the default irc ports.

6000 - 60xx can be X server ports.  I used to see hacks every week back
in the dark ages where the cracker sent himself an xterm window on ports
6000-6007.

Just remember that ports are not really anything more than numbers from
zero to 65535.  You could have an ssh server listening on port 65535 or
scumbag.com sending you javascript to open up http connections to port 23
so they can learn more about your web preferences among other things.

Later,

Phil


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list