[Snort-users] PORN Virgin

Matthew Wagenknecht Matthew.Wagenknecht at ...6755...
Thu Aug 29 07:38:02 EDT 2002


You can always use the -o option to process pass rules first and add:

pass tcp <snortbox> 80 -> any any

Virginia also triggers..  =c)


..:: Matt ::..  

-----Original Message-----
From: Phil Wood [mailto:cpw at ...440...] 
Sent: Wednesday, August 28, 2002 4:54 PM
To: Tony Wong
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] PORN Virgin

On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:
> Everytime I bring up ACID from my workstation browser. I see "PORN
> Virgin" from my workstation to the IDS box which is also running ACID.
> 
> Why is that?

Either someone is interested in "virgin wool", "a young virgin cow", or
you are sending your rule set over the net and capturing it with your
carefully configured snort IDS.  Have you bothered to look at the data
surrounding the key word "virgin" (using ACID).  Also, check your
collection of rules for the keyword "virgin".  Oh, heck I can do that!

$ cd where-ever-your-rules-are
$ grep -i virgin *
porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:
"PORN virgin"; content: "virgin "; nocase; flow: to_client,established;
classtype: kickass-porn; sid:1796; rev:2;)

> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list