[Snort-users] PORN Virgin

Phil Wood cpw at ...440...
Wed Aug 28 15:54:04 EDT 2002


On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:
> Everytime I bring up ACID from my workstation browser. I see "PORN
> Virgin" from my workstation to the IDS box which is also running ACID.
> 
> Why is that?

Either someone is interested in "virgin wool", "a young virgin cow", or
you are sending your rule set over the net and capturing it with your
carefully configured snort IDS.  Have you bothered to look at the data
surrounding the key word "virgin" (using ACID).  Also, check your
collection of rules for the keyword "virgin".  Oh, heck I can do that!

$ cd where-ever-your-rules-are
$ grep -i virgin *
porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "PORN virgin"; content: "virgin "; nocase; flow: to_client,established; classtype: kickass-porn; sid:1796; rev:2;)

> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list