[Snort-sigs] Rule 1797 triggered by Win XP SP2 download

Gregoire Hostettler ghostettler at ...2716...
Mon Aug 9 16:06:01 EDT 2004


Getting false positives on sid 1797 (DBSM) while downloading Win XP SP2,
English and German versions (as well as a bunch of bleedingsnort sids).

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM";
content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn;
sid:1797; rev:1;)

It just reacts on "BDSM", w/o other check.

Not a big deal when downloading, but when pushing this to workstations from
SUS, I bet this will raise many, many, many more false alarms!

So be warned and do not suspect all your users to surf  porn sites at the
same time ;-)


Caracal - G. Hostettler
6, ch. du Raidillon
1522 Lucens


e-mail travaux généraux : info at ...2716...
e-mail personnel : ghostettler at ...2716...





More information about the Snort-sigs mailing list