[Snort-users] Snort 1U Appliance for Sale on EBay

Frank Knobbe frank at ...9761...
Fri Feb 27 15:42:11 EST 2004


On Fri, 2004-02-27 at 15:43, Brian wrote:
> On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow
> > Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo";
> > sid:55378008; rev:1;)


Ain't gonna work. I argue you can't detect sales blurb with signature
based IDS's. Instead, you need to create a plugin to Snort that is based
on statistical analysis of the blurb. Besides "turn-key" you have other
words like "pinnacle", "ubiquitous", "synergy", "core competencies",
"expeditious", "win-win", "fast track", "mindset", "value-added",
"metrics", and of course "paradigm" (besides oodles of others). Only
through statistical analysis of occurrence of these words can you safely
detect sales blurb.

How about spp_bullshit.c? :)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040227/08637bb7/attachment.sig>


More information about the Snort-users mailing list