Snort use on Campus - IRC Rules in Particular

nick nelson snelson at
Fri Apr 11 09:33:08 GMT 2003

Greetings folks..

I've personally been working on a project with a few other universities to
create some IRC rules for snort ( that will detect clients
such as drones (DDoS drones, good indictater the machine they are on is
compromised.), as well as XDCC bots running on the network (warez,
uploading in terrabytes sometimes, not good for anyone's network) as well
as a good bit of general IRC rules, and we are working on adding to them
by the day.

We've done a good bit of initial beta testing, we are sure the rules we
have created do work however I'm currently looking for any other
universities or ISPs in general even that are willing to plug these rules
in and give me some input on how effective they are, etc.

They are at :

For those of you that are already running snort, this should be an easy
addition and you should start receiving alerts from them pretty soon, it
is my experience as a Oper on Undernet ( and also in the
past on the other large networks that most universities at least have a
few XDCC bots and drones running on their network, some, especially if you
aren't responsive toward them, have quite a few running.

If you aren't running snort, please feel free to drop me an email (well
drop me an email either way so I know who's testing these rules) and I'll
be glad to help you get a snort box set up, it's not too difficult.

Snort can be good for detecting kazaa, general intrusion attempts, stuff
like the sql slammer, almost anything, and for those that have a decent
machine laying around, at a cost of $0.

I thank whoever inserts these rules in'll hopefully really
help reduce DDoS and general waste of bandwidth on IRC abuse, a link for
you also that backgrounds a lot of irc abuse issues is :

Thanks again..

. Nick Nelson                                     nick at arpa dot com  .
- Office of Information Technology                                      -
. Valdosta State University                                             .
-                                               -
.         :: the mainstream runs shallow              .

More information about the unisog mailing list