[Snort-users] porno rules

Matt Kettler mkettler at ...4108...
Tue Apr 29 13:45:04 EDT 2003


Are you doing a web or usenet (groups) search on google?

Snort will fire off based on the response, not the submission, so if the 
page that comes back has a.p.b.e in the text, it is perfectly reasonable 
for snort to fire off that rule. This is very likely to happen if you were 
to use google's groups search, but very unlikely to happen if you did a web 
search.

That said, view the source of the exact page you got back.. does it contain 
the string alt.binaries.pictures.erotica ? If so, snort correctly fired off.

As far as missing the "nude cheerleader" in the response, have you done a 
kill -USR1 on your snort process and looked at the packet statistics 
(they'll be dumped to syslog so usually wind up in /var/log/messages) If 
you're dropping packets, that could be why it's seeing one part, and not 
another.

If those options don't help, could you post some more detail. Right now 
you're just giving very vague generalities about what you are doing, and 
what alerts are generated. Be specific. Include alerts and the packet dumps 
that snort generates (IP's censored if you prefer).

Also of note, the fact that you even HAD an entry for ASN1 in your 
snort.conf seems very problematic and indicates the "upgrade" wasn't done 
properly. that line shouldn't have been there in the first place.

When you upgraded to 2.0, you should have made a completely new snort.conf 
based on the one that shipped with 2.0.

Do NOT try to re-use a snort.conf from 1.9.x.  if for no other reason that 
the list of *.rules files has changed.

It's also inadvisable to use portscan2 and conversation preprocessors.. 
those are disabled by default in snort 2.0's conf.

At 12:49 PM 4/29/2003 -0700, Bryan Irvine wrote:
>I'm having problems with my porn.rules
>
>I'm trying to test it out, but no matter what I type in google for my
>search criteria it always comes back the same.
>alt.binaries.pictures.erotica
>
>Any ideas?
>
>--Bryan





More information about the Snort-users mailing list