Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: rules not being matched...

From: "Harper, Patrick" <Patrick.Harper () phns com>
Date: Sat, 8 Jan 2005 22:38:38 -0600
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Look in the porn.rules file, it will show you what they are looking
for.  Also they have some rules at www.bleedingsnort.com that might
be of interest to you including some rues to pick up common kiddy
porn terms as well as rules that would trigger for porn surfing.




 
- -----Original Message-----
From: Christensen Tom [mailto:paveraware () hotmail com] 
Sent: Saturday, January 08, 2005 8:51 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] rules not being matched...

I have a couple of quick questions, I am trying to deploy snort for a
small 
office and the owners would like to be notified if their employees
are 
browsing porn as they have had problems with this in the past.  I
tried 
enabling the porn.rules line that is commented out by default in the 
snort.conf file and restarted snort afterwards, however browsing porn
does 
not generate any alerts.  Other alerts are happening, so I know that
my 
snort install is working properly.  My question is where are the
rules in 
this file looking for the strings?  In the actual http content or in 
headers, urls, etc?

Tom




- -------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQeC1TZiWafDb7+B/EQK4kgCgrdU9F+sAxlvJBibBKgqIOftDX24AoKuB
4tQH3nF2pmrLoI2NHTCCic++
=/+nh
-----END PGP SIGNATURE-----




Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately. 





-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: