RE: [Full-Disclosure] Scan for IRC
How do u know that you are looking for the irc traffic ? Somewhere you must have see connections going out to some host or some connection attempts. You could always try sniffing using that ip address on all ports if you have set up everthing else correctly... How ever if something is not setup correctly then you would have trouble shoot this. Maybe posting some more info will help us all diagnose this for you and help u out - maybe offlist ? -aditya -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RandallM Sent: Saturday, January 22, 2005 05:04 AM To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Scan for IRC I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
Use ngrep to look for signs of irc (i.e. PRIVMSG) instead of just looking for the ports irc (ususally, but not always) runs on. something like: ngrep -qitd eth0 'privmsg' will probably get you much better results. HTH, Harry ALD, Aditya, Aditya Lalit Deshmukh wrote: How do u know that you are looking for the irc traffic ? Somewhere you must have see connections going out to some host or some connection attempts. You could always try sniffing using that ip address on all ports if you have set up everthing else correctly... How ever if something is not setup correctly then you would have trouble shoot this. Maybe posting some more info will help us all diagnose this for you and help u out - maybe offlist ? -aditya -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RandallM Sent: Saturday, January 22, 2005 05:04 AM To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Scan for IRC I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Scan for IRC
I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? Well, default port for IRC is 6667, but many servers offer other ports as well. If you know the networks involved then check their webpages for the list of servers/ports you'll want to monitor. -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence. Paula Cole - ME pgpTk0PiM4jKI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, 21 Jan 2005 17:34:00 -0600, RandallM [EMAIL PROTECTED] wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? Not only can an IRC server be on any port (as mentioned by Oliver Leitner), but clients can also tunnel the connection through proxies, or even fully encrypt chat sessions inside SSL, within an SSH tunnel, or in a binary packet protocol such as SILC. Assuming the communication is in the clear, you could use Snort to detect IRC communication, regardless of port. More on this topic can be found here: http://www.giac.org/practical/GSEC/Chris_Hanna_GSEC.pdf Kevin (P.S. I don't know who Chris Hanna is, but the paper seems sound.) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? In addition to the ports you and others mentioned, don't forget 194, 994 and 6665-6668/TCP. 994 is typically IRC over SSL so all you'll likely be able to detect with a sniffer is the existence of 994/TCP traffic, not that its actually SSL. My suggestion? Looking for 194, 994 and 6665-6668/TCP will only help you locate legitimate IRC servers running on standard ports. But the really interesting traffic will be on other ports. So use ngrep: ngrep -i NICK|PRIVMSG tcp (or something similar) Snort has a set of signatures that could easily be modified to work on arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729. -jon ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scan for IRC
--On Friday, January 21, 2005 5:34 PM -0600 RandallM [EMAIL PROTECTED] wrote: I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? You'll have a lot more success using something like snort or tcpdump to catch them. For example, you could easily write a couple of rules that would catch any IRC communications, regardless of the port used. alert tcp $HOME_NET any - any any (msg:IRC communications; content: JOIN; sid: 100; rev:1;) alert tcp $HOME_NET any - any any (msg:IRC communications; content: PRIVMSG; sid: 101; rev:1;) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html