Jason wrote:
Yes, that is true, and those are the falses I hope to eliminate. I am
tired of reading alerts about virginia, and stuff from WebMD. :) I
would hope that this will slow those down, but they'll not eliminate
it completely.
I think the proper solution is to pass those alerts or suppress them
from valid sites.
Yes, but there are far too many real sources I think. Maybe we should
consider then the idea of having one static word that is one prone to
falses (lesbian, masturbation, anal, virgin, etc) and have a pcre in the
same rule to make sure there's a more vulgar word in there. The anchor
word would be the iffy factor and the vulgar one the more concrete that
tells us this is pron and not virginia. I don't think it'd be too
processor intensive a pcre statement.
Here are some thoughts based on my
past experience with this problem.
1) detect uricontent only violations, better bang for the buck.
That's what we ought to do, I agree. We're only intending to get the
huge violators, these will show withing that.
2) Look for cookies, sextracker is pretty common and sure to catch the
actual valid porn surfer.
That's a good idea. How so?
3) Use a proxy to cache data and then use sed/awk/grep/... to identify a
high likelihood of porn content and correlate that content with the logs
after determining a violation has occurred.
Ya, I agree that that's a better way. But not always feasible.
An argument can be made that it does not belong in the official rules
unless it exploits a network vulnerability or detects traffic as a
result of exploiting a vulnerability. It is difficult to balance purpose
with need and have had this debate on several occasions. The end result
should be default value to the user and I think porn rules offer little
overall value.
I think we're approaching a religious argument there. :)
Can you elaborate on why you think the porn rules should be off by
default?
Not only off but not included. They should be an opt in not an opt out.
My reasoning is that porn is not a threat, vulnerability, illegal, or
policy violation unless specifically defined as such. The inadvertent
viewing of porn by an analyst or knowledge that someone is viewing porn
has wide ranging political and professional implications. These
implications put things at risk both for the analyst and the person
setting off the alerts unless there is clear cause for the monitoring
and clearly documented procedures for acting on violations.
Valid points. And if Brian and crew think that's the case I wouldn't
really argue that much. It's one of those things that draw us as
security folks out of our element and make us use our toys for other
things that dilute the value.
And besides, if they come out of the snort rules they'd have a welcome
home at bleedingsnort. As would any wayward orphaned rule. :)
Thanks for the points Jason. You almost have me talked out of it. :)
Matt
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
