Reputation: 83
Issue on Snort rules to track IRC servers activities
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT IRC Traffic Detected By Nick Change"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits:set,community_is_proto_irc; flowbits: noalert; classtype:misc-activity; sid:100000240; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal IRC server detected"; flow: to_server,established; flowbits:isset,community_is_proto_irc; classtype: policy-violation; sid:100000241; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT IRC message from internal bot"; flow: established; flowbits:isset,community_is_proto_irc; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463;)
The above rules have been written by David Bianco to track IRC bot/server activity on any IRC port. However, the above rules works fine but I have a problem with them. My problem is happening when multiple IRC servers (some of them work on 7000 and the other work on 6667) run on the network some of them will achieve the conditions of the rules and Snort will generate the alerts and some of them (or even one of them) will not achieve these condition and as a result Snort wont generate any alert related to the defined set. I think there's a kind of inconsistency. Any suggestions on that issue? I am working on Snort 2.8.
Upvotes: 0
Views: 1867
Answers (2)
Reputation: 83
Thanks God, the issue is resolved now.... The reason of the problem was a conflict between many rules which trying to trig at the same time for the same activity (PRIVMSG), so when I removed these rules, every think was just fine for the above rules.
Upvotes: 0
Reputation: 6973
These IRC rules are quite old and won't (as you've seen) capture all IRC traffic. It's almost impossible to say why they're not matching with a network capture or trace.
The first rule is set a flowbit based on the rule matching the traffic (based on an insenstitive match of the word 'NICK' from offset 0 for a depth of 5), if the first rule doesn't match the traffic then it won't set the flowbit to "community_is_proto_irc". Here's an old explanation on flowbits - http://forums.snort.org/forums/rules/topics/flowbits.
The second rule simply alerts on the presence of the flowbit (for traffic from external to home) whilst the third rule is more granular with a content match (and the traffic flow reversed).
I'd recommend getting a pcap for the non-matching IRC traffic and firing it through Snort locally to see what's being missed and then tailoring your rules accordingly (snort -r test.pcap -c /etc/snort_test.conf) - http://manual.snort.org/node8.html.
HTH!
Upvotes: 3
Related Questions
- Configuring rules to detect SMTP, HTTP and DNS traffic
- snort | pcre| rule specification
- IRC bot malfunction
- Snort rule failing to alert to log
- Snort Rules Configuration Issue
- snort ips rule - reject work but drop and sdrop dont work
- Rule for capturing SYN-scanning
- Snort rule doesn't generate alerts when hosts responding simultaneously
- snort and portscan loggin
- Python/Twisted IRC bot logging problem