[Snort-sigs] Rule 1797 triggered by Win XP SP2 download

Matthew Jonkman matt at ...2436...
Mon Aug 9 18:25:10 EDT 2004


Now that's funny. Might be a good slashdot.org article...  :)

Matt


Gregoire Hostettler wrote:
> Getting false positives on sid 1797 (DBSM) while downloading Win XP SP2,
> English and German versions (as well as a bunch of bleedingsnort sids).
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM";
> content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn;
> sid:1797; rev:1;)
> 
> It just reacts on "BDSM", w/o other check.
> 
> Not a big deal when downloading, but when pushing this to workstations from
> SUS, I bet this will raise many, many, many more false alarms!
> 
> So be warned and do not suspect all your users to surf  porn sites at the
> same time ;-)
> 
> 
> Caracal - G. Hostettler
> 6, ch. du Raidillon
> 1522 Lucens
> 
> 
> e-mail travaux généraux : info at ...2716...
> e-mail personnel : ghostettler at ...2716...
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list