Snort mailing list archives
Re: Snort rule doesn't generate alerts when hosts responding simultaneously
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 12 Mar 2012 08:34:02 -0400
I think you need to write two rules, one going out bound and one going inbound. Add flow to both statements, and make their msg important to the direction. J On Mar 11, 2012, at 10:55 PM, Balasubramaniam Natarajan wrote:
Hi Aymen, Ignore my previous email. A tag is used to tag both the source and destination and capture more packets of them rather than just one packet which triggered the alert. In the original rule once Snort sees PRIVMSG it would have tagged x.x.x.x going to y.y.y.y and it would have captured all alerts up to 300 seconds. If you are interested only to see how many client systems are involved in the bot you can changed the rule to alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64; flow:to_server,established; classtype:bad-unknown; sid:2000346; rev:5;) Kindly correct me if I am wrong. -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/ ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort rule doesn't generate alerts when hosts responding simultaneously Aymen AlAwady (Mar 07)
- Fwd: Snort rule doesn't generate alerts when hosts responding simultaneously Aymen AlAwady (Mar 11)
- Re: Snort rule doesn't generate alerts when hosts responding simultaneously Balasubramaniam Natarajan (Mar 11)
- Re: Snort rule doesn't generate alerts when hosts responding simultaneously Balasubramaniam Natarajan (Mar 11)
- Re: Snort rule doesn't generate alerts when hosts responding simultaneously Joel Esler (Mar 12)
- Re: Snort rule doesn't generate alerts when hosts responding simultaneously Balasubramaniam Natarajan (Mar 11)