[Snort-users] PORN Virgin

Alexander Hoogerhuis alexh at ...3932...
Sat Aug 31 06:45:04 EDT 2002


Most likely cooking classes... pasta or salads are often spotted
arouind virgin olive oil. >;)

mvh,
A

Matthew Wagenknecht <Matthew.Wagenknecht at ...6755...> writes:

> You can always use the -o option to process pass rules first and add:
> 
> pass tcp <snortbox> 80 -> any any
> 
> Virginia also triggers..  =c)
> 
> 
> ..:: Matt ::..  
> 
> -----Original Message-----
> From: Phil Wood [mailto:cpw at ...440...] 
> Sent: Wednesday, August 28, 2002 4:54 PM
> To: Tony Wong
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] PORN Virgin
> 
> On Wed, Aug 28, 2002 at 01:02:59PM -0700, Tony Wong wrote:
> > Everytime I bring up ACID from my workstation browser. I see "PORN
> > Virgin" from my workstation to the IDS box which is also running ACID.
> > 
> > Why is that?
> 
> Either someone is interested in "virgin wool", "a young virgin cow", or
> you are sending your rule set over the net and capturing it with your
> carefully configured snort IDS.  Have you bothered to look at the data
> surrounding the key word "virgin" (using ACID).  Also, check your
> collection of rules for the keyword "virgin".  Oh, heck I can do that!
> 
> $ cd where-ever-your-rules-are
> $ grep -i virgin *
> porn.rules:# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:
> "PORN virgin"; content: "virgin "; nocase; flow: to_client,established;
> classtype: kickass-porn; sid:1796; rev:2;)
> 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Jabber - The world's fastest growing 
> > real-time communications platform! Don't just IM. Build it in! 
> > http://www.jabber.com/osdn/xim
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -- 
> Phil Wood, cpw at ...440...
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Alexander Hoogerhuis                               | alexh at ...3932...
CCNP - CCDP - MCNE - CCSE                          | +47 908 21 485
"You have zero privacy anyway. Get over it."  --Scott McNealy




More information about the Snort-users mailing list