lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050122020711.GC1846@spoofed.org>
From: warchild at spoofed.org (Jon Hart)
Subject: Scan for IRC

On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote:
> I am so sorry for interrupting the list. I'm trying to pick up IRC
> communications on the network. I've made some filters for Ethereal and
> Observer but can't seem to pick it up. I'm doing something wrong. Used the
> 6668-6669 ports. Any help? 

In addition to the ports you and others mentioned, don't forget 194, 994
and 6665-6668/TCP.  994 is typically IRC over SSL so all you'll likely
be able to detect with a sniffer is the existence of 994/TCP traffic,
not that its actually SSL.

My suggestion?  Looking for 194, 994 and 6665-6668/TCP will only help
you locate legitimate IRC servers running on standard ports.  But the
really interesting traffic will be on other ports.  So use ngrep:

ngrep -i "NICK|PRIVMSG" tcp

(or something similar)

Snort has a set of signatures that could easily be modified to work on
arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729.

-jon

Powered by blists - more mailing lists