Matthew Jonkman wrote:
I agree with you on the 3600 second tag. That might be excessive. I've
changed them all to 300.
Not sure what you're saying on point number 2. Can you elaborate?
Thanks
Matt
OK.
These are the rules submitted by Joel Esler.
The 2 firsts rules are taking care of the destination port. The third
one seems dubious for me.
Perhaps it should be "alert tcp $EXTERNAL_NET !6661:6668-> $HOME_NET
any" or
" alert tcp $HOME_NET any->$EXTERNAL_NET !6661:6668"
The rules following (2000347 and following) are not including criteria
on the destination port (any).
#Submitted by Joel Esler
alert tcp any any -> any !6661:6668 (msg:"BLEEDING-EDGE IRC - Nick
change on non-std port"; content: "NICK "; offset:0;depth:5; nocase;
dsize:<64; flow:to_server,established; tag:session,300,seconds;
classtype:policy-violation; sid:2000344; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"BLEEDING-EDGE
IRC - Nick change on non-std port"; content:"NICK "; offset:0; depth:5;
nocase; dsize:<64; flow:to_server,established; tag:session,3600,seconds;
classtype:trojan-activity; sid:2000345; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET !6661:6668 (msg:"BLEEDING-EDGE
IRC - Name response on non-std port"; content:"\:"; offset:0; depth:1;
content:" 302 "; content:"=+"; content:"@"; dsize:<128;
flow:to_client,established; tag:session,3600,seconds;
classtype:trojan-activity; sid:2000346; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -
Private message on non-std port"; content:"PRIVMSG "; nocase;offset:0;
depth:8; dsize:<128; flow:to_server,established;
tag:session,3600,seconds; classtype:trojan-activity; sid:2000347; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -
Channel JOIN on non-std port"; content:"JOIN "; offset:0; depth:5;
nocase; pcre:"/&|#|\+|!/R"; dsize:<64; flow:to_server,established;
tag:session,3600,seconds; classtype:trojan-activity; sid:2000348; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -
DCC file transfer request on non-std port"; flow:to_server,established;
content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC SEND";
nocase; tag:session,3600,seconds; classtype:policy-violation;
sid:2000349; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -
DCC chat request on non-std port"; flow:to_server,established;
content:"PRIVMSG "; nocase; offset:0; depth:8; content:" \:.DCC CHAT
chat"; nocase; tag:session,3600,seconds; classtype:policy-violation;
sid:2000350; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -
channel join on non-std port"; flow:to_server,established; content:"JOIN
\: \#"; nocase; offset:0; depth:8; tag:session,3600,seconds;
classtype:policy-violation; sid:2000351; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE IRC -
dns request on non-std port"; flow:to_server,established;
content:"USERHOST "; nocase; offset:0; depth:9;
tag:session,3600,seconds; classtype:policy-violation; sid:2000352; rev:1;)
Thierry Chich
Chich Thierry wrote:
The bleeding edge rules sid:2000344 and following, that are looking for
IRC traffic on non standard-port give me huge trace.
First of all, the session time (3600 seconds) is too long. Some people
use IRC in order to transmit divx files or warez.
Secondly, some rules announce that they track activity on non-std port
but there is nothing in the reule that check the port. In my database,
I have capture 100000 packets of a chat session, and I truly doubt
that the user
has sent a real message in these 100000 packets.
Thierry Chich
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
