Re: PORN Virgin

[Phil Wood <cpw () lanl gov>]

On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:
> Everytime I bring up ACID from my workstation browser. I see "PORN
> Virgin" from my workstation to the IDS box which is also running ACID.
>
> Why is that?

Either someone is interested in "virgin wool", "a young virgin cow", or
you are sending your rule set over the net and capturing it with your
carefully configured snort IDS.  Have you bothered to look at the data
surrounding the key word "virgin" (using ACID).  Also, check your
collection of rules for the keyword "virgin".  Oh, heck I can do that!

$ cd where-ever-your-rules-are
$ grep -i virgin *
porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "PORN virgin"; content: "virgin "; nocase; 
flow: to_client,established; classtype: kickass-porn; sid:1796; rev:2;)

> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users