[unisog] Snort use on Campus - IRC Rules in Particular

nick nelson snelson at valdosta.edu
Fri Apr 11 19:15:33 GMT 2003


Anderson Johnston propagated the following:
> Thanks!  IRC 'bots were one of my biggest pains until I organized a
> system to squish them.  I've been using a rule posted here a year or so
> back.
>
> Recently, I've noticed that the 'bots announcing themselves using the
> string "To request a file type" are no longer the same as the ones
> showing up in my daily "Maximum IRC Traffic" report from Flowtools.
> Conclusion: The big bandwidth 'bots have different spots, now.
>
> I prefer catching 'bots with signatures to inferring their presence from
> gross traffic volume (fewer false positives).  These sigs should help a
> lot.
>


Hey Andy..

Just to let you know, if you do notice any kind of irc bots that aren't
being triggered by these rules, please feel free to drop me a email, I
work along side some of the ircd (server) coders, as well as various other
people, we will find a way to make a rule that will trigger it, I've seen
xdcc bots that upload in terrabytes of data before being found on some of
the larger nets, I email up to 100 emails a week on irc bots, both ddos
drones and xdcc bots on campus networks, some of you may recognize me from
these emails (if the xdcc bots/drones were on undernet at least)

One thing however, you might want to remove :

alert tcp $EXTERNAL_NET 6660:7000 -> $HOME_NET any \
(content: "ERROR \:Closing Link\: "; nocase;\
msg: "IRC user /kill detected, possible trojan.";\
classtype:misc-activity;)


After awhile, this is a very wide open rule, although it'll probably be
good idea to leave for awhile, to see if any machines which have no reason
to IRC are being triggered, I honestly didn't mean to leave it in the
bunch because it's so wide open.

This should catch all the DDoS drones, xdcc bots, general irc annoyances
on your networks though. For those of you without snort.. I'd HIGHLY
recommend setting up snort, IRC/DDoS is only one of many things it can do.

nick

johndoe / snickn @ irc.undernet.org (feel free to drop by.)

-- 
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
. Nick Nelson                                     nick at arpa dot com  .
- Office of Information Technology                                      -
. Valdosta State University                                             .
- snelson-at-valdosta.edu                                               -
.                  arpa.com :: the mainstream runs shallow              .
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-


> 					Thanks,
> 						- andy
>
<snipped>
---------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager:
> 410-678-8949  ** ** Manager of IT Security                 * PGP
> key:(afj2002) 4096/8448B056 ** ** Office of Information Technology, UMBC
> *   4A B4 96 64 D9 B6 EF E3 21 9A ** ** 410-455-2583 (v)/410-455-1065
> (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> --------------------------------------------------------------------------





More information about the unisog mailing list