lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050122020711.GC1846@spoofed.org> From: warchild at spoofed.org (Jon Hart) Subject: Scan for IRC On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote: > I am so sorry for interrupting the list. I'm trying to pick up IRC > communications on the network. I've made some filters for Ethereal and > Observer but can't seem to pick it up. I'm doing something wrong. Used the > 6668-6669 ports. Any help? In addition to the ports you and others mentioned, don't forget 194, 994 and 6665-6668/TCP. 994 is typically IRC over SSL so all you'll likely be able to detect with a sniffer is the existence of 994/TCP traffic, not that its actually SSL. My suggestion? Looking for 194, 994 and 6665-6668/TCP will only help you locate legitimate IRC servers running on standard ports. But the really interesting traffic will be on other ports. So use ngrep: ngrep -i "NICK|PRIVMSG" tcp (or something similar) Snort has a set of signatures that could easily be modified to work on arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729. -jon
Powered by blists - more mailing lists