Snort mailing list archives
Re: porno rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 16:42:32 -0400
Are you doing a web or usenet (groups) search on google?Snort will fire off based on the response, not the submission, so if the page that comes back has a.p.b.e in the text, it is perfectly reasonable for snort to fire off that rule. This is very likely to happen if you were to use google's groups search, but very unlikely to happen if you did a web search.
That said, view the source of the exact page you got back.. does it contain the string alt.binaries.pictures.erotica ? If so, snort correctly fired off.
As far as missing the "nude cheerleader" in the response, have you done a kill -USR1 on your snort process and looked at the packet statistics (they'll be dumped to syslog so usually wind up in /var/log/messages) If you're dropping packets, that could be why it's seeing one part, and not another.
If those options don't help, could you post some more detail. Right now you're just giving very vague generalities about what you are doing, and what alerts are generated. Be specific. Include alerts and the packet dumps that snort generates (IP's censored if you prefer).
Also of note, the fact that you even HAD an entry for ASN1 in your snort.conf seems very problematic and indicates the "upgrade" wasn't done properly. that line shouldn't have been there in the first place.
When you upgraded to 2.0, you should have made a completely new snort.conf based on the one that shipped with 2.0.
Do NOT try to re-use a snort.conf from 1.9.x. if for no other reason that the list of *.rules files has changed.
It's also inadvisable to use portscan2 and conversation preprocessors.. those are disabled by default in snort 2.0's conf.
At 12:49 PM 4/29/2003 -0700, Bryan Irvine wrote:
I'm having problems with my porn.rules I'm trying to test it out, but no matter what I type in google for my search criteria it always comes back the same. alt.binaries.pictures.erotica Any ideas? --Bryan
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- porno rules Bryan Irvine (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- Re: porno rules Bryan Irvine (Apr 29)
- Broken config directive? or just me? Sam Evans (Apr 29)
- Re: Broken config directive? or just me? Matt Kettler (Apr 29)
- Re: Broken config directive? or just me? Chris Green (Apr 30)
- Re: porno rules Bryan Irvine (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- <Possible follow-ups>
- Re: porno rules Neil Dickey (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)