|
Full Disclosure
mailing list archives
Re: Scan for IRC
From: Jon Hart <warchild () spoofed org>
Date: Fri, 21 Jan 2005 21:07:11 -0500
On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote:
I am so sorry for interrupting the list. I'm trying to pick up IRC
communications on the network. I've made some filters for Ethereal and
Observer but can't seem to pick it up. I'm doing something wrong. Used the
6668-6669 ports. Any help?
In addition to the ports you and others mentioned, don't forget 194, 994
and 6665-6668/TCP. 994 is typically IRC over SSL so all you'll likely
be able to detect with a sniffer is the existence of 994/TCP traffic,
not that its actually SSL.
My suggestion? Looking for 194, 994 and 6665-6668/TCP will only help
you locate legitimate IRC servers running on standard ports. But the
really interesting traffic will be on other ports. So use ngrep:
ngrep -i "NICK|PRIVMSG" tcp
(or something similar)
Snort has a set of signatures that could easily be modified to work on
arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729.
-jon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: Scan for IRC, (continued)
|
Intro
