Snort rule doesn't generate alerts when hosts responding simultaneously
11 views
Skip to first unread message
Aymen
Mar 7, 2012, 10:56:31 PM3/7/12
to Aanval - Snort & Syslog SIEM (Correlation and Threat Management)
Hi,
I hope this post is not out of topic of the group...
alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel
suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase;
dsize:<64; flow:to_server,established; tag:session,300,seconds;
classtype:bad-unknown; sid:2000346; rev:4;)
The above rule is written to monitor bots responding messages to the
botmaster. The rule is working fine, but only when one bot making the
respond and there is no alert or even one alert for one host when more
than one host responding simultaneously. I have changed the session
time to 30 or 150 but no luck.
Any tips or tricks to make it efficient?
Thanks.
-Aymen
I hope this post is not out of topic of the group...
alert tcp any any -> any any (msg:"PRIVMSG from an IRC channel
suspecious act"; content:"PRIVMSG"; offset:0; depth:7; nocase;
dsize:<64; flow:to_server,established; tag:session,300,seconds;
classtype:bad-unknown; sid:2000346; rev:4;)
The above rule is written to monitor bots responding messages to the
botmaster. The rule is working fine, but only when one bot making the
respond and there is no alert or even one alert for one host when more
than one host responding simultaneously. I have changed the session
time to 30 or 150 but no luck.
Any tips or tricks to make it efficient?
Thanks.
-Aymen
Reply all
Reply to author
Forward
0 new messages