[Snort-sigs] new PORN sigs

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Wed May 29 11:57:05 EDT 2002


 
I'd like to propose adding the following sigs to the PORN rules.   We've
noticed a large frequency of these other words in conjunction with people
surving pr0n.  (Hopefully our outbound mail server won't block this).
Comments, additions?
 
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo";
content:"dildo"; nocase; flow:to_client,established;
classtype:kickass-porn;) 
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp";
content:"nipple"; nocase; content:"clamp"; nocase;
flow:to_client,established; classtype:kickass-porn;)   (this one could be
joined to just be nipple clamp... but we've seen a great deal of ones that
just had these two words close together, and were all in violation of
policy)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex";
content:"oral sex"; nocase; flow:to_client,established;
classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb";
content:"nude celeb"; nocase; flow:to_client,established;
classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur";
content:"voyeur"; nocase; flow:to_client,established;
classtype:kickass-porn;)
tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex";
content:"raw sex"; nocase; flow:to_client,established;
classtype:kickass-porn;)
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020529/fc4c6d2a/attachment.html>


More information about the Snort-sigs mailing list