Snort mailing list archives
Re: PORN Virgin
From: "Ian Macdonald" <secsnort () dirk demon co uk>
Date: Tue, 3 Sep 2002 09:55:16 -0400
This rule is disabled by default in the current snortrules-stable.tar.gz on snort.org. Maybe you should update your rule set? I would look very closely at the porn rules and see if they make sense, the there are a few rules in there that match on a single word that will generate a lot of false positives (These are disabled in the the rule set on snort.org) Ian ----- Original Message ----- From: "Phil Wood" <cpw () lanl gov> To: "Tony Wong" <tony.wong () stanford edu> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, August 28, 2002 6:53 PM Subject: Re: [Snort-users] PORN Virgin
On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:Everytime I bring up ACID from my workstation browser. I see "PORN Virgin" from my workstation to the IDS box which is also running ACID. Why is that?Either someone is interested in "virgin wool", "a young virgin cow", or you are sending your rule set over the net and capturing it with your carefully configured snort IDS. Have you bothered to look at the data surrounding the key word "virgin" (using ACID). Also, check your collection of rules for the keyword "virgin". Oh, heck I can do that! $ cd where-ever-your-rules-are $ grep -i virgin * porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:
"PORN virgin"; content: "virgin "; nocase; flow: to_client,established; classtype: kickass-porn; sid:1796; rev:2;)
------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PORN Virgin Tony Wong (Aug 28)
- Re: PORN Virgin Phil Wood (Aug 28)
- Re: PORN Virgin Ian Macdonald (Sep 03)
- <Possible follow-ups>
- RE: PORN Virgin McCammon, Keith (Aug 28)
- RE: PORN Virgin Clint Byrum (Aug 28)
- RE: PORN Virgin Matthew Wagenknecht (Aug 29)
- Re: PORN Virgin Alexander Hoogerhuis (Aug 31)
- Re: PORN Virgin Phil Wood (Aug 28)