| Main Archive Page > Month Archives > snort-sigs archives |
[Snort-sigs] Snort rule doesn't generate alerts when hosts responding simultaneously
From: Aymen AlAwady <aymenco777_at_nospam>Date: Thu Mar 08 2012 - 03:51:34 GMT
To: snort-sigs@lists.sourceforge.net
Hi,
alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel suspecious
act"; content:"PRIVMSG"; offset:0; depth:7; nocase; dsize:<64;
flow:to_server,established; tag:session,300,seconds; classtype:bad-unknown;
sid:2000346; rev:4;)
The above rule is written to monitor bots responding messages to the
botmaster. The rule is working fine, but only when one bot making the
respond and there is no alert or even one alert for one host when more than
one host responding simultaneously. I have changed the session time to 30
or 150 but no luck.
Any tips or tricks to make it efficient?
Thanks.
-Aymen
-- Aymen Hassan AlAwady Master Student of Computer Science (Distributed Computing & Networks) School of Computer Sciences - Universiti Sains Malaysia (USM) 11800 USM, Penang, MALAYSIA H/P: +60176181394 Email: aymenh@it.kuiraq.com P Do you really need to print this e-mail? Think globally, act locally undefined
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!