Snort mailing list archives
Re: Newbie: Bot Detection Rule
From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Fri, 22 Jun 2001 09:15:03 +0100
Brian Caswell wrote:
George Yobst wrote:I was just reading this article about how Gibson Research was knocked off the net ( http://grc.com/dos/grcdos.htm ). Near the end of the article was a section on detecting these bots. As a new snort user, I can probably RTM and create some rules that create an alert for ports 6667 and 113, but how do I test it? -Georgeheh. oooooh a spy bot. WOW!!! You could write your own spy bot in some super leet language like TCL or something. Mad leet yo. Then you too can *STOP* those *EVIL* hackers!!!! Am I the only person that is tired of hearing about how Steve Gibson is the greatest anti-hacker in the world?
nope, but seems that you're the only one who's over-reacting :) btw, Bruce Schneider has a very nice article about GRC in his newsletter - http://www.counterpane.com/crypto-gram-0106.html#6 and regarding rules - i never understood what's the use of logging all packets going to unusual ports etc. So let's say, I've received a UDP packet to port 666 - what am I supposed to do? Complain? (ever heard about spoofing - especially if it's UDP?). That's why i like snort DB logging - the only thing I can do is to log all that garbage to a database to dig it sometimes if something really nasty starts...
alert tcp any any -> any 6667 (msg:"Evil HACKERS!!! stop the evil HACKERS!!!";) alert udp any any -> any 666 (msg:"We are under *ATTACK* by UDP PACKETS!!!";) alert icmp any any -> any any (msg:"DoS!!! DoS!!! We are under attack by DoS!!!";)
heh, 3ViL L337 u :) don't be so bad to us lamers :))) regards, W.
-brian .ps This is personal opinion only. I'm talking on the behalf of myself and myself only. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie: Bot Detection Rule George Yobst (Jun 21)
- Re: Newbie: Bot Detection Rule Craig Woods (Jun 21)
- Re: Newbie: Bot Detection Rule George Yobst (Jun 21)
- Re: Newbie: Bot Detection Rule Chris Green (Jun 21)
- Re: Newbie: Bot Detection Rule George Yobst (Jun 21)
- Re: Newbie: Bot Detection Rule Brian Caswell (Jun 21)
- Re: Newbie: Bot Detection Rule Vitaly Osipov (Jun 22)
- Re: Newbie: Bot Detection Rule Craig Woods (Jun 21)