# This rule merely looks for IRC traffic on any TCP port (by detecting # NICK change events, which occur at the beginning of the session) and # sets the is_proto_irc flowbit. It does not actually generate any alerts # itself. alert tcp any any -> any any (msg:"IRC TRAFFIC DETECTED BY NICK CHANGE"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits: set,is_proto_irc; flowbits: noalert; sid:9000075; rev:1;) # Using the aforementioned is_proto_irc flowbits, do some IRC checks. # This one looks for IRC servers running on the $HOME_NET alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Internal IRC server detected"; flow: to_server,established; flowbits: isset,is_proto_irc; classtype: policy-violation; sid:9000076; rev:1;) # These rules look for specific Agobot/PhatBot commands on an IRC session alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.about command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.about"; classtype: trojan-activity; sid:9000077; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.die command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.die"; classtype: trojan-activity; sid:9000078; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.dns command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.dns"; classtype: trojan-activity; sid:9000079; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.execute command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.execute"; classtype: trojan-activity; sid:9000080; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.id command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.id"; classtype: trojan-activity; sid:9000081; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.nick command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.nick"; classtype: trojan-activity; sid:9000082; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.open command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.open"; classtype: trojan-activity; sid:9000083; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.remove command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.remove"; classtype: trojan-activity; sid:9000084; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.removeallbut command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.removeallbut"; classtype: trojan-activity; sid:9000085; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.rndnick command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.rndnick"; classtype: trojan-activity; sid:9000086; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.status command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.status"; classtype: trojan-activity; sid:9000087; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.sysinfo command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.sysinfo"; classtype: trojan-activity; sid:9000088; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.longuptime command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.longuptime"; classtype: trojan-activity; sid:9000089; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.highspeed command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.highspeed"; classtype: trojan-activity; sid:9000090; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.quit command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.quit"; classtype: trojan-activity; sid:9000091; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.flushdns command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.flushdns"; classtype: trojan-activity; sid:9000092; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.secure command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.secure"; classtype: trojan-activity; sid:9000093; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.unsecure command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.unsecure"; classtype: trojan-activity; sid:9000094; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Agobot/PhatBot bot.command command"; flow: established; flowbits: isset,is_proto_irc; content:"bot.command"; classtype: trojan-activity; sid:9000095; rev:1;) # Now some rules to look for SDBot traffic, also on established IRC sessions. # There are fewer of these, since the commands themselves aren't so distinctive # (don't want a lot of false positives on regular IRC conversations). alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SDBot killthread command"; flow: established; flowbits: isset,is_proto_irc; content:"killthread"; pcre:"/killthread\s+\d+\b/"; classtype: trojan-activity; sid:9000096; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SDBot cdkey command"; flow: established; flowbits: isset,is_proto_irc; content:"cdkey"; classtype: trojan-activity; sid:9000097; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SDBot getcdkey command"; flow: established; flowbits: isset,is_proto_irc; content:"getcdkey"; classtype: trojan-activity; sid:9000098; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SDBot rndnick command"; flow: established; flowbits: isset,is_proto_irc; content:"rndnick"; classtype: trojan-activity; sid:9000099; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SDBot c_rndnick command"; flow: established; flowbits: isset,is_proto_irc; content:"c_rndnick"; classtype: trojan-activity; sid:9000100; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SDBot c_nick command"; flow: established; flowbits: isset,is_proto_irc; content:"c_nick"; classtype: trojan-activity; sid:9000101; rev:1;) # Ok, on to SpyBot rules alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SpyBot stopspy command"; flow: established; flowbits: isset,is_proto_irc; content:"stopspy"; classtype: trojan-activity; sid:9000102; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SpyBot redirectspy command"; flow: established; flowbits: isset,is_proto_irc; content:"redirectspy"; classtype: trojan-activity; sid:9000103; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SpyBot loadclones command"; flow: established; flowbits: isset,is_proto_irc; content:"loadclones"; classtype: trojan-activity; sid:9000104; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SpyBot killclones command"; flow: established; flowbits: isset,is_proto_irc; content:"killclones"; classtype: trojan-activity; sid:9000105; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SpyBot rawclones command"; flow: established; flowbits: isset,is_proto_irc; content:"rawclones"; classtype: trojan-activity; sid:9000106; rev:1;) # Finally GT Bot rules. These try to account for the case where the bot # herder has redifined the command character away from the default '!'. # The only bug here is that this won't detect the ':' as the cmdchar. IRC # uses the colon as part of the protocol message, and it was confusing # any message the started with (e.g.) "portscan" at the beginning of the line # and bot commands in the form of ":portscan". alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot ver command"; flow: established; flowbits: isset,is_proto_irc; content:"ver"; pcre:"/[^a-zA-Z0-9\:]ver/"; classtype: trojan-activity; sid:9000107; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot info command"; flow: established; flowbits: isset,is_proto_irc; content:"info"; pcre:"/[^a-zA-Z0-9\:]info/"; classtype: trojan-activity; sid:9000108; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot scan command"; flow: established; flowbits: isset,is_proto_irc; content:"scan"; pcre:"/[^a-zA-Z0-9\:]scan/"; classtype: trojan-activity; sid:9000109; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot portscan command"; flow: established; flowbits: isset,is_proto_irc; content:"portscan"; pcre:"/[^a-zA-Z0-9\:]portscan/"; classtype: trojan-activity; sid:9000110; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot stopscan command"; flow: established; flowbits: isset,is_proto_irc; content:"stopscan"; pcre:"/[^a-zA-Z0-9\:]stopscan/"; classtype: trojan-activity; sid:9000111; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot packet command"; flow: established; flowbits: isset,is_proto_irc; content:"packet"; pcre:"/[^a-zA-Z0-9\:]packet/"; classtype: trojan-activity; sid:9000112; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GTBot bnc command"; flow: established; flowbits: isset,is_proto_irc; content:"bnc"; pcre:"/[^a-zA-Z0-9\:]bnc/"; classtype: trojan-activity; sid:9000113; rev:1;)