Protocols > Internet Relay Chat (IRC)

IRC, on Internet Relay Chat, is a protocol that is often looked upon in a negative light.  The warez underground hangs out there, botnets operate over it, and all sorts of other shady happenings take place there.  However, there is a lot of good that happens on IRC, such as support for open source projects, and lots of other things.  Sometimes, however, you just need to classify the IRC traffic, or in the case of my need for creating this signature, classify the DCC traffic so you can get a handle on just how much bandwidth it's taking up.

There are two parts to this classification, the part that works to classify the IRC protocol itself, and then the piece that persists on looking for the DCC connections to classify.  The first part operates by looking for two things that must take place to initiate an IRC connection, the user settings send and the nickname setting.  The only problem is that they can happen in either order, or even both within the same packet.  So, we must wait for both things to happen to then classify the packet. 

Then, to classify the DCC traffic, we must wait for the appropriate message to pass from the sender to the server, or from the server to the recipient.  The only difference in these two messages is that the sender will not preface the message with who they are, and the recipient will receive what the sender sent with the sender's information in front of it.  The messages are formatted like this:

<sender>PRIVMSG <recipient> DCC SEND <filename> <senders address> <senders open port>

If the packet is sent without a sender, it means it's the message from the sender to the server, and we thus don't know the originating ends IP address.  Thus, we can only predict that a session will happen to <senders address>:<senders open port> from SOME address and classify it at IRC-DCC.  However, if we have the sender information, we know that it's the packet from the server to the recipient, and we can predict a connection from the recipient's IP address (destination address of the packet) to <senders address>:<senders open port> and classify it as IRC-DCC.