|
|
Re: Re: Sig on psyBNC IRCproxy: msg#00125security.ids.snort.bleedingsnort
I've added this sig to the irc proto chain. I think it'll solve all the issues in one sig without adding any significant load. alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN psyBNC IRC Server Connection"; flowbits:isset,irc.start; flow:to_server ,established; content:"\:Welcome!psyBNC"; offset:0; depth:15; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; classtype: misc-activity; sid: 2003929; rev:1; This adds a way for the irc proto chain to get to a hit without a join command. It'll go right to alerts if there's a NICK, JOIN and then psybnc. Should eliminat the falses the existing psybnc sig is famous for in into.rules. Please test! Matt -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Sig on psyBNC IRCproxy: 00125, Matt Jonkman |
|---|---|
| Next by Date: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5): 00125, Andre' - SemperSecurus |
| Previous by Thread: | Re: Sig on psyBNC IRCproxyi: 00125, Matt Jonkman |
| Next by Thread: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5): 00125, Andre' - SemperSecurus |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |