[Snort-users] porno rules
mkettler at ...4108...
Tue Apr 29 13:45:04 EDT 2003
Are you doing a web or usenet (groups) search on google?
Snort will fire off based on the response, not the submission, so if the
page that comes back has a.p.b.e in the text, it is perfectly reasonable
for snort to fire off that rule. This is very likely to happen if you were
to use google's groups search, but very unlikely to happen if you did a web
That said, view the source of the exact page you got back.. does it contain
the string alt.binaries.pictures.erotica ? If so, snort correctly fired off.
As far as missing the "nude cheerleader" in the response, have you done a
kill -USR1 on your snort process and looked at the packet statistics
(they'll be dumped to syslog so usually wind up in /var/log/messages) If
you're dropping packets, that could be why it's seeing one part, and not
If those options don't help, could you post some more detail. Right now
you're just giving very vague generalities about what you are doing, and
what alerts are generated. Be specific. Include alerts and the packet dumps
that snort generates (IP's censored if you prefer).
Also of note, the fact that you even HAD an entry for ASN1 in your
snort.conf seems very problematic and indicates the "upgrade" wasn't done
properly. that line shouldn't have been there in the first place.
When you upgraded to 2.0, you should have made a completely new snort.conf
based on the one that shipped with 2.0.
Do NOT try to re-use a snort.conf from 1.9.x. if for no other reason that
the list of *.rules files has changed.
It's also inadvisable to use portscan2 and conversation preprocessors..
those are disabled by default in snort 2.0's conf.
At 12:49 PM 4/29/2003 -0700, Bryan Irvine wrote:
>I'm having problems with my porn.rules
>I'm trying to test it out, but no matter what I type in google for my
>search criteria it always comes back the same.
More information about the Snort-users