That last signature had the wrong destination port designated. My
mistake. I use the !80 port definition so I can gain some visibility
to the virus/worm traffic. If you prefer the purer version of the
signature, replace !80 with the original 6666:7000 definition.
Sorry about any confusion it may have caused.
Colin
On 6/30/05, Colin Grady <colin.grady@gmail.com> wrote:
Or even using PCRE we can see both local and global IRC channel joins:
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHAT IRC channel
join"; flow:to_server,established; content:"JOIN "; nocase;
pcre:"/^JOIN\s(#|&)[a-zA-Z0-9]+/ism"; classtype:policy-violation;
sid:1729; rev:7;)
Colin
On 6/30/05, Colin Grady <colin.grady@gmail.com> wrote:
According to how I understand the IRC protocol, there shouldn't be a
colon in the JOIN command from client to server. Looking at RFC 1459
confirms this. Here is the applicable section:
http://www.irchelp.org/irchelp/rfc/chapter4.html#c4_2_1
Here's the current signature:
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
channel join"; flow:to_server,established; content:"JOIN |3A| |23|";
offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
I think this signature should be changed to the following:
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC
channel join"; flow:to_server,established; content:"JOIN |23|";
offset:0; nocase; classtype:policy-violation; sid:1729; rev:6;)
Colin
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id�492&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
