[Snort-sigs] GPL sig 1313

Joel Esler jesler at ...435...
Fri Mar 18 16:10:44 EDT 2011


It's not community.  Community's numbers were like 10,000,000 or something sids.  It's a discontinued VRT rule.

J

On Mar 18, 2011, at 4:02 PM, rmkml wrote:

> Hi,
> it's snort community if I remember correctly:
> rules/porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;)
> Regards
> Rmkml
> 
> 
> On Fri, 18 Mar 2011, Weir, Jason wrote:
> 
>> Nigel,
>> Oops - my bad, It's part of the GPLs - looks like it came from the ET side...
>> Didn't they use to be distributed with Snort??
>> -J
>> 
>>> -----Original Message-----
>>> From: Nigel Houghton [mailto:nhoughton at ...435...]
>>> Sent: Friday, March 18, 2011 1:43 PM
>>> To: Weir, Jason
>>> Cc: snort-sigs at lists.sourceforge.net
>>> Subject: Re: [Snort-sigs] GPL sig 1313
>>> 
>>> 
>>> On Fri, 18 Mar 2011 12:01:47 -0400, Weir, Jason wrote:
>>>> Seeing what could be a FP on 1313
>>>> Here's the data - no "up skirt" that I can see....
>>>> -J
>>>> 
>>> 
>>> Is that SID correct? We don't have a rule with that particular SID.
> 
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net
Twitter: @snort





More information about the Snort-sigs mailing list