[Snort-users] Snort 1U Appliance for Sale on EBay
bmc at ...950...
Fri Feb 27 13:54:03 EST 2004
On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow
> Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo";
> sid:55378008; rev:1;)
Ugh. There are all sorts of issues with this rule.
1) First, salesman is sexist.
2) Second, not all sales people are into mumbojumbo, only idiots are
into mumbojumbo. As such, we should clarify the message.
3) Third, I highly doubt sales people would be able to send raw TCP
packets, nor would their target audience be listening for that, so
make sure it is in a valid TCP stream
4) The classtype marketing-mumbojumbo is the wrong classtype. This rule
looks for a sales idiot, not a marketing idiot. You could get the
wrong person fired with that classtype.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDIOT SALES PEOPLE BS overflow attempt"; flow:established; content:"turn"; nocase; pcre:"/turn[-\s]*?key/i" classtype:sales-mumbojumbo; sid:55378008; rev:2;)
There, much better. :)
More information about the Snort-users