[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Scan for IRC

To: RandallM <randallm@xxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Scan for IRC
From: Jon Hart <warchild@xxxxxxxxxxx>
Date: Fri, 21 Jan 2005 21:07:11 -0500

On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote:
> I am so sorry for interrupting the list. I'm trying to pick up IRC
> communications on the network. I've made some filters for Ethereal and
> Observer but can't seem to pick it up. I'm doing something wrong. Used the
> 6668-6669 ports. Any help? 

In addition to the ports you and others mentioned, don't forget 194, 994
and 6665-6668/TCP.  994 is typically IRC over SSL so all you'll likely
be able to detect with a sniffer is the existence of 994/TCP traffic,
not that its actually SSL.

My suggestion?  Looking for 194, 994 and 6665-6668/TCP will only help
you locate legitimate IRC servers running on standard ports.  But the
really interesting traffic will be on other ports.  So use ngrep:

ngrep -i "NICK|PRIVMSG" tcp

(or something similar)

Snort has a set of signatures that could easily be modified to work on
arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729.

-jon
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Scan for IRC
  - From: RandallM

Prev by Date: Re: [Full-Disclosure] Scan for IRC
Next by Date: Re: [Full-Disclosure] Scan for IRC
Previous by thread: Re: [Full-Disclosure] Scan for IRC
Next by thread: Re: [Full-Disclosure] Scan for IRC
Index(es):
- Date
- Thread