[Snort-users] Snort 1U Appliance for Sale on EBay

Nicholas Bachmann asterisk at ...11321...
Fri Feb 27 16:37:01 EST 2004


Frank Knobbe wrote:

>On Fri, 2004-02-27 at 15:43, Brian wrote:
>  
>
>>On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote:
>>    
>>
>>>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS Overflow
>>>Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo";
>>>sid:55378008; rev:1;)
>>>      
>>>
>
>
>Ain't gonna work. I argue you can't detect sales blurb with signature
>based IDS's. Instead, you need to create a plugin to Snort that is based
>on statistical analysis of the blurb. Besides "turn-key" you have other
>words like "pinnacle", "ubiquitous", "synergy", "core competencies",
>"expeditious", "win-win", "fast track", "mindset", "value-added",
>"metrics", and of course "paradigm" (besides oodles of others). Only
>through statistical analysis of occurrence of these words can you safely
>detect sales blurb.
>  
>
Please don't forget "future-proof" and "integrated."

Oh wait, I'm the one being made fun of :-(.

(Sorry about sending the Spam... I thought this list was OK with 
commercial messages; that was my blunder.)

Nick





More information about the Snort-users mailing list