|
Full Disclosure
mailing list archives
Re: Scan for IRC
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 21 Jan 2005 21:47:24 -0600
--On Friday, January 21, 2005 5:34 PM -0600 RandallM <randallm () fidmail com>
wrote:
I am so sorry for interrupting the list. I'm trying to pick up IRC
communications on the network. I've made some filters for Ethereal and
Observer but can't seem to pick it up. I'm doing something wrong. Used the
6668-6669 ports. Any help?
You'll have a lot more success using something like snort or tcpdump to
catch them. For example, you could easily write a couple of rules that
would catch any IRC communications, regardless of the port used.
alert tcp $HOME_NET any -> any any (msg:"IRC communications"; content:
JOIN; sid: 1000000; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"IRC communications"; content:
PRIVMSG; sid: 1000001; rev:1;)
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: Scan for IRC, (continued)
|
Intro
