[unisog] Snort use on Campus - IRC Rules in Particular

Anderson Johnston andy at umbc.edu
Fri Apr 11 18:29:56 GMT 2003

Thanks!  IRC 'bots were one of my biggest pains until I organized a system
to squish them.  I've been using a rule posted here a year or so back.

Recently, I've noticed that the 'bots announcing themselves using the
string "To request a file type" are no longer the same as the ones showing
up in my daily "Maximum IRC Traffic" report from Flowtools.  Conclusion:
The big bandwidth 'bots have different spots, now.

I prefer catching 'bots with signatures to inferring their presence from
gross traffic volume (fewer false positives).  These sigs should help a

						- andy

On Fri, 11 Apr 2003, nick nelson wrote:

> Greetings folks..
> I've personally been working on a project with a few other universities to
> create some IRC rules for snort (www.snort.org) that will detect clients
> such as drones (DDoS drones, good indictater the machine they are on is
> compromised.), as well as XDCC bots running on the network (warez,
> uploading in terrabytes sometimes, not good for anyone's network) as well
> as a good bit of general IRC rules, and we are working on adding to them
> by the day.
> We've done a good bit of initial beta testing, we are sure the rules we
> have created do work however I'm currently looking for any other
> universities or ISPs in general even that are willing to plug these rules
> in and give me some input on how effective they are, etc.
> They are at :
> http://coders.meta.net.nz/~perry/irc.rules
> For those of you that are already running snort, this should be an easy
> addition and you should start receiving alerts from them pretty soon, it
> is my experience as a Oper on Undernet (www.undernet.org) and also in the
> past on the other large networks that most universities at least have a
> few XDCC bots and drones running on their network, some, especially if you
> aren't responsive toward them, have quite a few running.
> If you aren't running snort, please feel free to drop me an email (well
> drop me an email either way so I know who's testing these rules) and I'll
> be glad to help you get a snort box set up, it's not too difficult.
> Snort can be good for detecting kazaa, general intrusion attempts, stuff
> like the sql slammer, almost anything, and for those that have a decent
> machine laying around, at a cost of $0.
> I thank whoever inserts these rules in advance...it'll hopefully really
> help reduce DDoS and general waste of bandwidth on IRC abuse, a link for
> you also that backgrounds a lot of irc abuse issues is :
> http://staff.washington.edu/dittrich/misc/ddos/
> Thanks again..
> n
> --
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
> . Nick Nelson                                     nick at arpa dot com  .
> - Office of Information Technology                                      -
> . Valdosta State University                                             .
> - snelson-at-valdosta.edu                                               -
> .                  arpa.com :: the mainstream runs shallow              .
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-

** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **

More information about the unisog mailing list