Re: Snort 1U Appliance for Sale on EBay

[Brian <bmc () snort org>]

On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow
> Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo";
> sid:55378008; rev:1;)

Ugh.  There are all sorts of issues with this rule. 

1) First, salesman is sexist.  
2) Second, not all sales people are into mumbojumbo, only idiots are
   into mumbojumbo.  As such, we should clarify the message.
3) Third, I highly doubt sales people would be able to send raw TCP
   packets, nor would their target audience be listening for that, so
   make sure it is in a valid TCP stream
4) The classtype marketing-mumbojumbo is the wrong classtype.  This rule 
   looks for a sales idiot, not a marketing idiot.  You could get the
   wrong person fired with that classtype.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDIOT SALES PEOPLE BS overflow attempt"; flow:established; 
content:"turn"; nocase; pcre:"/turn[-\s]*?key/i" classtype:sales-mumbojumbo; sid:55378008; rev:2;)

There, much better. :)

Brian


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users