[Snort-sigs] new PORN sigs

Imran William Smith iwsmith at ...500...
Wed May 29 18:00:02 EDT 2002

MessageI would suggest long patterns wherever possible, to avoid
false alarms.  If somebody is surfing porn, I would imagine
sooner or later, one of the existing patterns will match (I
believe there are quite a few).  Too many, and there'll just
be more false alarms.  Certainly, I would imagine the word
'voyeur' would pop up in lots of clean sites, lots of personal
sites, etc.

Also, some moderately dubious non-porn sites (e.g. black
hat security sites) have a tendency to pop up adverts for 
porn, so a few alerts should probably just be ignored, and 
only a large volume investigated.

Just my thoughts on false alarms.

Other thought - anybody got any patterns for network games - another
policy related area.   I was thinking maybe there would be a market
for snort to be used solely as a policy monitor - just stick it on
internal networks, review the results every month or two, no need
for constant review.  If DCHP is set up to loan the same IP for
a week or two, the culprit(s) would have the same IP address for a long

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

  ----- Original Message ----- 
  From: Kreimendahl, Chad J 
  To: Snort-Sigs (snort-sigs at lists.sourceforge.net) 
  Sent: Thursday, May 30, 2002 2:56 AM
  Subject: [Snort-sigs] new PORN sigs

  I'd like to propose adding the following sigs to the PORN rules.   We've noticed a large frequency of these other words in conjunction with people surving pr0n.  (Hopefully our outbound mail server won't block this).  Comments, additions?
  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn;) 
  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn;)   (this one could be joined to just be nipple clamp... but we've seen a great deal of ones that just had these two words close together, and were all in violation of policy)
  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn;)
  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn;)
  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn;)
  tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020529/2d3a8691/attachment.html>

More information about the Snort-sigs mailing list