Full Disclosure mailing list archives

Re: Scan for IRC

From: Jon Hart <warchild () spoofed org>
Date: Fri, 21 Jan 2005 21:07:11 -0500

On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote:

I am so sorry for interrupting the list. I'm trying to pick up IRC
communications on the network. I've made some filters for Ethereal and
Observer but can't seem to pick it up. I'm doing something wrong. Used the
6668-6669 ports. Any help?


In addition to the ports you and others mentioned, don't forget 194, 994
and 6665-6668/TCP.  994 is typically IRC over SSL so all you'll likely
be able to detect with a sniffer is the existence of 994/TCP traffic,
not that its actually SSL.

My suggestion?  Looking for 194, 994 and 6665-6668/TCP will only help
you locate legitimate IRC servers running on standard ports.  But the
really interesting traffic will be on other ports.  So use ngrep:

ngrep -i "NICK|PRIVMSG" tcp

(or something similar)

Snort has a set of signatures that could easily be modified to work on
arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729.

-jon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Scan for IRC RandallM (Jan 21)
- Re: Scan for IRC Athanasius (Jan 21)
- Re: Scan for IRC Oliver Leitner (Jan 21)
  - RE: Scan for IRC Nikolay Baramov (Jan 21)
    - Re: RE: Scan for IRC Frank Knobbe (Jan 21)
- Re: Scan for IRC Kevin (Jan 21)
- Re: Scan for IRC Jon Hart (Jan 21)
- Re: Scan for IRC Paul Schmehl (Jan 21)
- RE: Scan for IRC ALD, Aditya, Aditya Lalit Deshmukh (Jan 22)
  - Re: Scan for IRC Harry Hoffman (Jan 22)