[Snort-sigs] Sig 1313 documentation and questions

Gauldin Sean gauldinsg at ...144...
Sat Jun 7 17:47:01 EDT 2003


Hello all,

I have some rules documented and am more than willing
to submit them if the rule below is satisfactory with
regards to the information and verbage. I didn't want
to waste anyones time or space by submitting
incorrect/unsatisfactory sig documentation. I have all
of the inappropriate content (i.e. PORN) rules
documented and some others (p2p clients,PCanywhere).

I also have a question regarding a possible new snort
rule category. I am not trying to turn snort into a
content monitoring application, but it seems as though
some of the rules are related to company policy
violations. So, I thought I would throw up the idea of
mail-monitor.rules and see how it would fly. These
rules would basically mirror some of the previously
submitted inappropriate content rules, as-well-as
possible vulgar, racial, and demoralizing remarks. I
know in some businesses one is just as bad as the
other,but either way just a thought. If it is
something worthwhile I can get some rules for it. 

Please let me know if you would like the other rules
submitted or if this one needs work. I am more than
willing to help.

Sincerely,

Sean



-------------------------------------------------------------------------------------
# This is a template for submitting snort signature
descriptions to

# the snort.org website

#

# Ensure that your descriptions are your own

# and not the work of others.  References in the rules
themselves

# should be used for linking to other's work. 

#

# If you are unsure of some part of a rule, use that
as a commentary

# and someone else perhaps will be able to fix it.

# 

# $Id$

#

# 



Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET
any (msg:"PORN up skirt"; content:"up skirt"; nocase;
flow:to_client,established; classtype:kickass-porn;
sid:1313; rev:5;) 

--

Sid: 1313

--

Summary: Possible inappropriate related content is
being returned or sent to a host located on the
$HOME_NET. 

--

Impact: Organizational Policy Violation. Most
companies and businesses have a firm stance when it
comes to computer usage and inappropriate content,
therefore a business related impact would be a direct
result of a positive alert. However, due to the
content that is possibly being passed and recent virus
characteristics, other impacts cannot be disregarded
until further investigation of the packet has been
completed.

--

Detailed Information: This and all other "PORN" snort
rules are initially for content monitoring. Whenever a
user from the $HOME_NET views a webpage or any other
content that has the words "up skirt",is located on
the $EXTERNAL_NET, and has a source port of
$HTTP_PORTS, this snort rule will be triggered and
alerts will be sent out if snort has been configured
to do so. This type of an alert would inform the snort
administrator that possible inappropriate material is
being queried for or is being viewed by someone on
his/her $HOME_NET (i.e. organization's network). 

--

Affected Systems: N/A

--

Attack Scenarios: N/A

--

Ease of Attack: N/A

--

False Positives: It is not unusual for a false
positive to occur, due to improper search engine
queries. When an improper query is performed, the
search results may have these key words in the page
that is delivered. This is not to say that the person
searched for this content, but a website could
deliberately have had the content displayed as well as
the content that the person queried for. These tactics
are used by some sites to increase hits/visits to
their site, in any way possible. 

--

False Negatives: Very common, users can be viewing
this type of content and it may not have these key
words located anywhere on the page. As more snort
rules are added and configured to monitor this type of
content, the chances of a user viewing this type of
content decreases as does the likelihood of false
negatives.

--

Corrective Action: Follow appropriate actions as
stated in your organizational policy regarding this
type of content/material. Educate the users of the
organization policies in place regarding this type of
content and the consequences of it being viewed.
Enable content monitoring and filtering.

--

Contributors:
Rule Author - ?
Rule Documentation - Sean Gauldin

-- 

Additional References:





__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com




More information about the Snort-sigs mailing list