Re: Snort 1U Appliance for Sale on EBay

[Nicholas Bachmann <asterisk () not-real org>]

Frank Knobbe wrote:

> On Fri, 2004-02-27 at 15:43, Brian wrote:
>  
>
> > On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:
> >    
> >
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow
> > > Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo";
> > > sid:55378008; rev:1;)
> > >      
>
>
> Ain't gonna work. I argue you can't detect sales blurb with signature
> based IDS's. Instead, you need to create a plugin to Snort that is based
> on statistical analysis of the blurb. Besides "turn-key" you have other
> words like "pinnacle", "ubiquitous", "synergy", "core competencies",
> "expeditious", "win-win", "fast track", "mindset", "value-added",
> "metrics", and of course "paradigm" (besides oodles of others). Only
> through statistical analysis of occurrence of these words can you safely
> detect sales blurb.
>  
Please don't forget "future-proof" and "integrated."

Oh wait, I'm the one being made fun of :-(.

(Sorry about sending the Spam... I thought this list was OK with 
commercial messages; that was my blunder.)

Nick



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users