[Snort-sigs] porn rules

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Tue Mar 26 08:07:13 EST 2002


Not that this is very important... but it was of some interest to us...

We have been using the snort porn rules (and some similar that we developed)
to catch people browsing for porn... and then join those with the proxy logs
to get an answer about their surfing habbits.  After the recent change
(flow) to all the rules, it appears that we're catching none of the ones we
were prior.

Interestingly enough... when I asked someone in the office to do a google
search for 'free xxx' through the proxy... i did see an alert caused by the
ICQ message... but anyway

Should the flow on porn rules be 'to_server'?  wouldn't the pr0n content be
coming 'from_server' and is that really the same as 'to_client'?

I'm still trying to be the sigsnazi.
 -CJK




More information about the Snort-sigs mailing list