On Fri, Jan 21, 2005 at 05:34:00PM -0600, RandallM wrote: > I am so sorry for interrupting the list. I'm trying to pick up IRC > communications on the network. I've made some filters for Ethereal and > Observer but can't seem to pick it up. I'm doing something wrong. Used the > 6668-6669 ports. Any help?
In addition to the ports you and others mentioned, don't forget 194, 994 and 6665-6668/TCP. 994 is typically IRC over SSL so all you'll likely be able to detect with a sniffer is the existence of 994/TCP traffic, not that its actually SSL. My suggestion? Looking for 194, 994 and 6665-6668/TCP will only help you locate legitimate IRC servers running on standard ports. But the really interesting traffic will be on other ports. So use ngrep: ngrep -i "NICK|PRIVMSG" tcp (or something similar) Snort has a set of signatures that could easily be modified to work on arbitrary ports to detect IRC -- check out SID 542, 1463 and 1729. -jon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
