not allowing dcc send/receive on irc

[Petre Bandac <petre () kgb ro>]

I have made the following rule

alert tcp any any -> $12 any \
                (content:       "DCC SEND"; \
                                regex; \
                                # offset: 0; \
                                # depth: 9; \
                                # flags: SA; \
                                msg: "worldwide -> 12"; \
                                react: block; \
                                logto: "DCC_in"; \
                                resp: rst_all,icmp_all; )

to disallow any dcc send/receive on the irc network; I tried to use the flags 
option to have cut off only the packets containing "DCC SEND" with the syn 
flag set, but it didn't work

currently I use the above configuration, but I presume that any message (even 
a PRIVMSG) containing the string "DCC SEND" will reset the connection

any ideas to make this rule more flexible and efficient ? (I'm extremely 
newbie to snort - I have read the docs and the above is the best I could come 
with :-))

thanks,

petre




-- 
Login: petre                            Name: Petre Bandac
Directory: /home/petre                  Shell: /bin/bash
Office: Brasov, Romania                 Home Phone: 40-068-324800
On since Sun Sep 15 12:40 (EEST) on tty2   29 minutes 38 seconds idle
No mail.
Plan:

none, for the time being :-)




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users