[Snort-sigs] Getting an exact match on content

Matt Kettler mkettler at ...189...
Fri Nov 30 07:37:11 EST 2001

Of course, this whole discussion quickly devolves into how wildly 
inaccurate any form of text matches are going to be. The offensiveness of a 
site is a subjective matter, and that's not something easily put into text 
searches. Also many words used on porn sites have legitimate existence on 
scientific sites.

You'll likely have to tune your rules to reduce false positives given the 
simple matching of snort, and use human judgement to sort out which alerts 
are valid and which are not. Use appropriate placement of spaces to force 
single word matches, and I strongly recommend using phrases or multi-word 
matches instead of single words (as g.coochey already did).

Even commercial packages dedicated to the purpose of filtering porn, with 
highly specialized engines and rulesets have a relatively high false rate. 
One network I use has a highly rated professional package for the purpose, 
and I've seen it block the strangest things (gnu.org?? the local public 
library??). And yet some porn re-directors (site name typo types) manage to 
evade it (much to my own nuisance as I try to kill all the pop-ups).

Disclaimer: These are my own opinions and experiences, yours, those of my 
employer, schools, and the actual truth, may differ. (like you didn't 
already know that)

At 09:48 AM 11/30/2001, g.coochey at ...138... wrote:
>Instead of:
>     content:"anal "; nocase;
>     content:" anal "; nocase;
>To be honest though, this looks like a bad rule. The word " anal " is 
>going to throw up too many false positives, and with REST you'll get a lot 
>of angry users.
>content:" anal ";nocase;content:" sex ";nocase
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list