Snort mailing list archives
RE: PORN Virgin
From: Matthew Wagenknecht <Matthew.Wagenknecht () quantum com>
Date: Thu, 29 Aug 2002 08:25:10 -0600
You can always use the -o option to process pass rules first and add: pass tcp <snortbox> 80 -> any any Virginia also triggers.. =c) ..:: Matt ::.. -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Wednesday, August 28, 2002 4:54 PM To: Tony Wong Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] PORN Virgin On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:
Everytime I bring up ACID from my workstation browser. I see "PORN Virgin" from my workstation to the IDS box which is also running ACID. Why is that?
Either someone is interested in "virgin wool", "a young virgin cow", or you are sending your rule set over the net and capturing it with your carefully configured snort IDS. Have you bothered to look at the data surrounding the key word "virgin" (using ACID). Also, check your collection of rules for the keyword "virgin". Oh, heck I can do that! $ cd where-ever-your-rules-are $ grep -i virgin * porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "PORN virgin"; content: "virgin "; nocase; flow: to_client,established; classtype: kickass-porn; sid:1796; rev:2;)
------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PORN Virgin Tony Wong (Aug 28)
- Re: PORN Virgin Phil Wood (Aug 28)
- Re: PORN Virgin Ian Macdonald (Sep 03)
- <Possible follow-ups>
- RE: PORN Virgin McCammon, Keith (Aug 28)
- RE: PORN Virgin Clint Byrum (Aug 28)
- RE: PORN Virgin Matthew Wagenknecht (Aug 29)
- Re: PORN Virgin Alexander Hoogerhuis (Aug 31)
- Re: PORN Virgin Phil Wood (Aug 28)