Re: Newbie: Bot Detection Rule

[Chris Green <cmg () uab edu>]

George Yobst <george () lincc lib or us> writes:

> Hi Craig,
>
> Sorry about the appalling lack of info.  I'm running
> it on a FreeBSD 4.3 Stable with IPFilter as the FW.
>
> My question comes down to this:
> The rule(s) I can create, but how do I actually test
> them to make sure they work?

Generate the traffic the rule is catching.

> I'm not up to creating fake bots.  I don't want to
> get one and unleash it on my network.  Is there
> a way to create packets with that port number that
> I can use to run thru Snort?  Something that will
> trigger the alert to make sure it works?

Telnet with the correct ports.  Use netcat.

> I don't care about Gibson, the man.  I do care about
> his research, and it's potentials.  I want to be
> prepared for this kind of attack and I don't want
> my organization's computers to be used by the Bots.

Try http://www.undernet.org/ or something like that and get a regular
irc client and try to connect to a server.  You will see identd
connections and you will see the irc signon process

You should be aware that not everyone that uses irc is a leet 15 year
old so you should see your organizations own policies before doing a
chicken little.
-- 
Chris Green <cmg () uab edu>
A watched process never cores.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users