[Snort-sigs] Getting an exact match on content
mkettler at ...189...
Fri Nov 30 07:37:11 EST 2001
Of course, this whole discussion quickly devolves into how wildly
inaccurate any form of text matches are going to be. The offensiveness of a
site is a subjective matter, and that's not something easily put into text
searches. Also many words used on porn sites have legitimate existence on
You'll likely have to tune your rules to reduce false positives given the
simple matching of snort, and use human judgement to sort out which alerts
are valid and which are not. Use appropriate placement of spaces to force
single word matches, and I strongly recommend using phrases or multi-word
matches instead of single words (as g.coochey already did).
Even commercial packages dedicated to the purpose of filtering porn, with
highly specialized engines and rulesets have a relatively high false rate.
One network I use has a highly rated professional package for the purpose,
and I've seen it block the strangest things (gnu.org?? the local public
library??). And yet some porn re-directors (site name typo types) manage to
evade it (much to my own nuisance as I try to kill all the pop-ups).
Disclaimer: These are my own opinions and experiences, yours, those of my
employer, schools, and the actual truth, may differ. (like you didn't
already know that)
At 09:48 AM 11/30/2001, g.coochey at ...138... wrote:
> content:"anal "; nocase;
> content:" anal "; nocase;
>To be honest though, this looks like a bad rule. The word " anal " is
>going to throw up too many false positives, and with REST you'll get a lot
>of angry users.
>content:" anal ";nocase;content:" sex ";nocase
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs