[Snort-users] Snort 1U Appliance for Sale on EBay

Brian bmc at ...950...
Fri Feb 27 13:54:03 EST 2004


On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow
> Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo";
> sid:55378008; rev:1;)

Ugh.  There are all sorts of issues with this rule. 

1) First, salesman is sexist.  
2) Second, not all sales people are into mumbojumbo, only idiots are
   into mumbojumbo.  As such, we should clarify the message.
3) Third, I highly doubt sales people would be able to send raw TCP
   packets, nor would their target audience be listening for that, so
   make sure it is in a valid TCP stream
4) The classtype marketing-mumbojumbo is the wrong classtype.  This rule 
   looks for a sales idiot, not a marketing idiot.  You could get the
   wrong person fired with that classtype.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDIOT SALES PEOPLE BS overflow attempt"; flow:established; content:"turn"; nocase; pcre:"/turn[-\s]*?key/i" classtype:sales-mumbojumbo; sid:55378008; rev:2;)

There, much better. :)

Brian




More information about the Snort-users mailing list