Re: IRC policies

[David Shettler <dshettle () HOLYCROSS EDU>]

We're blocking _and_ quarantining outright via an IPS, and
white-listing on request.  Have had only one instance where
white-listing was required in 18+ months that was not an ITS employee
using it.  Not the solution for every school, but has worked
wonderfully for us.

Dave Shettler
Sr. Tech Services Engineer
College of the Holy Cross
etiolated.org

On 6/6/07, H. Morrow Long <morrow.long () yale edu> wrote:
> And if you see a computer repeatedly and unsuccessfully attempting to:
>
>  * join a channel (e.g. #mp3-w@r3z) 4-ever
>  * use a nick or variants of the same nick
>  (particularly "hacker", "hack3993", etc.)
>  * use a particular username
>
> particularly when the nick or username is already in use but the computer
> persists
> in mindless repetition -- you've probably got a bot.
>
> Lots of PINGs and PONGs are also often a good sign but are not necessarily.
>
>
> - H. Morrow Long, CISSP, CISM, CEH
>   University Information Security Officer
>   Director -- Information Security Office
>   Yale University, ITS
>
>
>
>
>
> On Jun 6, 2007, at 10:45 AM, Hull, Dave wrote:
>
> In my past life working in a security office, the Snort signatures that
> monitor nick changes to a great job of tipping off machines that are
> bots. Normal users don't request nick changes as rapidly as bots. If
> you're wanting to monitor IRC or clamp down on it, pay particular
> attention and tune well your Snort or other IDS/IPS rules that watch for
> nick changes.
>
> YMMV.
>
> --
> Dave Hull, CISSP, CHFI
> IT Director
> KU School of Architecture & Urban Planning
> 785-864-2629
>
> "The free world says that software is the embodiment of knowledge about
> technology, which needs to be free in the same way that mathematics is
> free."
> -- Eben Moglen, Software Freedom Law Center