[Snort-users] porno rules

Bryan Irvine bryan.irvine at ...9066...
Tue Apr 29 15:12:02 EDT 2003

On Tue, 2003-04-29 at 13:42, Matt Kettler wrote:
> Are you doing a web or usenet (groups) search on google?
Yes I'm trying on google and even clicking on links that appear to 
best match the ruleset to try and trigger it.

> Snort will fire off based on the response, not the submission, so if the 
> page that comes back has a.p.b.e in the text, it is perfectly reasonable 
> for snort to fire off that rule. This is very likely to happen if you were 
> to use google's groups search, but very unlikely to happen if you did a web 
> search.
> That said, view the source of the exact page you got back.. does it contain 
> the string alt.binaries.pictures.erotica ? If so, snort correctly fired off.
Nope none of the sites contain that.  Strange huh?

> As far as missing the "nude cheerleader" in the response, have you done a 
> kill -USR1 on your snort process and looked at the packet statistics 
> (they'll be dumped to syslog so usually wind up in /var/log/messages) If 
> you're dropping packets, that could be why it's seeing one part, and not 
> another.
No dropped packets.

> If those options don't help, could you post some more detail. Right now 
> you're just giving very vague generalities about what you are doing, and 
> what alerts are generated. Be specific. Include alerts and the packet dumps 
> that snort generates (IP's censored if you prefer).
It's an OpenBSD server running a PF firewall and NAT.  
I have 4 instances of snort running so it's really easy to keep track of
what's going on in each network (there's 4 nic's: 2NAT's, 1 DMZ).
I'm testing it on 1 NAT to see if I can get it running.
Here's what ps -ax  | grep snort looks like

 8024 ??  Is      0:00.75 snort -l /var/www/htdocs/snort/xl0 -A FULL -c
/usr/local/share/snort/snort.conf -D 
13911 ??  Is      0:00.71 snort -i xl1 -l /var/www/htdocs/snort/xl1 -A
FULL -c /usr/local/share/snort/internal-snort.conf -D 
 3722 ??  Is      0:00.76 snort -i xl2 -l /var/www/htdocs/snort/xl2 -A
FULL -c /usr/local/share/snort/internal-snort.conf -D 
 9145 ??  Is      0:00.80 snort -i xl3 -l /var/www/htdocs/snort/xl3 -A
FULL -c /usr/local/share/snort/snort.conf -D 

> Also of note, the fact that you even HAD an entry for ASN1 in your 
> snort.conf seems very problematic and indicates the "upgrade" wasn't done 
> properly. that line shouldn't have been there in the first place.
> When you upgraded to 2.0, you should have made a completely new snort.conf 
> based on the one that shipped with 2.0.
> Do NOT try to re-use a snort.conf from 1.9.x.  if for no other reason that 
> the list of *.rules files has changed.
> It's also inadvisable to use portscan2 and conversation preprocessors.. 
> those are disabled by default in snort 2.0's conf.

I changed it to the 2.0 snort.conf file, didn't change a thing :-/


> At 12:49 PM 4/29/2003 -0700, Bryan Irvine wrote:
> >I'm having problems with my porn.rules
> >
> >I'm trying to test it out, but no matter what I type in google for my
> >search criteria it always comes back the same.
> >alt.binaries.pictures.erotica
> >
> >Any ideas?
> >
> >--Bryan

More information about the Snort-users mailing list