Snort mailing list archives
Re: Snort 1U Appliance for Sale on EBay
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 27 Feb 2004 17:29:56 -0600
On Fri, 2004-02-27 at 15:43, Brian wrote:
On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo"; sid:55378008; rev:1;)
Ain't gonna work. I argue you can't detect sales blurb with signature based IDS's. Instead, you need to create a plugin to Snort that is based on statistical analysis of the blurb. Besides "turn-key" you have other words like "pinnacle", "ubiquitous", "synergy", "core competencies", "expeditious", "win-win", "fast track", "mindset", "value-added", "metrics", and of course "paradigm" (besides oodles of others). Only through statistical analysis of occurrence of these words can you safely detect sales blurb. How about spp_bullshit.c? :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Snort 1U Appliance for Sale on EBay Nicholas Bachmann (Feb 26)
- <Possible follow-ups>
- RE: Snort 1U Appliance for Sale on EBay Kreimendahl, Chad J (Feb 27)
- Re: Snort 1U Appliance for Sale on EBay Brian (Feb 27)
- Re: Snort 1U Appliance for Sale on EBay Frank Knobbe (Feb 27)
- Re: Snort 1U Appliance for Sale on EBay Nicholas Bachmann (Feb 27)
- Re: Snort 1U Appliance for Sale on EBay Brian (Feb 27)
- RE: Snort 1U Appliance for Sale on EBay Keith Pachulski (Mar 01)