[Snort-users] Out of topic: Snort rule doesn't generate alerts when hosts responding simultaneously

beenph beenph at ...11827...
Sat Mar 10 22:17:13 EST 2012


On Sat, Mar 10, 2012 at 10:04 PM, Aymen <aymenco777 at ...14012...> wrote:
> Hi all,

> I know this post is out of topic of this group! I do this post because
> I haven't see any active group dealing with Snort like you, and I hope
> the members can help me on my issue.
>
> My issue is:
>
> alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel
> suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase;
> dsize:<64; flow:to_server,established; tag:session,300,seconds;
> classtype:bad-unknown; sid:2000346; rev:4;)
>
> The above rule is written to monitor bots responding messages to the
> botmaster. The rule is working fine, but only when one bot making the
> respond and there is no alert or even one alert for one host when more
> than one host responding simultaneously. I have changed the session
> time to 30 or 150 but no luck.
>
> Any tips or tricks to make it efficient?
>
> Thank you all and sorry for any disturbing.
>
> -Aymen

Greetings Aymen,

 i think snort-users at lists.sourceforge.net is pretty active for snort
question you should go there without hesitation

>From my perspective it seem's that the rule is  fine but i would
change  the any any -> any any to something like

$HOME_NET any -> !$HOME_NET any msg :privmsg to irc

and write a second rule that is analog to the first one that looks exactly alike

Except for sid and  using reverse logic for the triggering flow (and
probably change the message to reflect that also)
!$HOME_NET any -> $HOME_NET any msg: privmsg from irc


Also try to use tag: session,300,src

I hope this can help you, also i forwarded the msg to snort-users so
sign up there mabey someone will respond with
more information over there!

Hope this helps.

-elz




More information about the Snort-users mailing list