[Snort-users] not allowing dcc send/receive on irc

Petre Bandac petre at ...6894...
Sun Sep 15 03:27:03 EDT 2002


I have made the following rule

alert tcp any any -> $12 any \
                (content:       "DCC SEND"; \
                                regex; \
                                # offset: 0; \
                                # depth: 9; \
                                # flags: SA; \
                                msg: "worldwide -> 12"; \
                                react: block; \
                                logto: "DCC_in"; \
                                resp: rst_all,icmp_all; )

to disallow any dcc send/receive on the irc network; I tried to use the flags 
option to have cut off only the packets containing "DCC SEND" with the syn 
flag set, but it didn't work

currently I use the above configuration, but I presume that any message (even 
a PRIVMSG) containing the string "DCC SEND" will reset the connection

any ideas to make this rule more flexible and efficient ? (I'm extremely 
newbie to snort - I have read the docs and the above is the best I could come 
with :-))

thanks,

petre




-- 
Login: petre          			Name: Petre Bandac
Directory: /home/petre              	Shell: /bin/bash
Office: Brasov, Romania			Home Phone: 40-068-324800
On since Sun Sep 15 12:40 (EEST) on tty2   29 minutes 38 seconds idle
No mail.
Plan:

none, for the time being :-)






More information about the Snort-users mailing list