RE: [Snort-users] Snort 1U Appliance for Sale on EBay
This is a discussion on RE: [Snort-users] Snort 1U Appliance for Sale on EBay within the Snort forums, part of the System Security and Security Related category; you`re all going to hell for picking on the poor man =3Dp~ heh -----Original Message----- From: Brian [mailto:bmc@...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-01-2004
|
|||
|
|||
RE: [Snort-users] Snort 1U Appliance for Sale on EBay
you`re all going to hell for picking on the poor man =3Dp~ heh
-----Original Message----- From: Brian [mailto:bmc@snort.org] Sent: Friday, February 27, 2004 4:43 PM To: Kreimendahl, Chad J Cc: snort-users@lists.sourceforge.net Subject: Re: [Snort-users] Snort 1U Appliance for Sale on EBay On Fri, Feb 27, 2004 at 10:21:04AM -0600, Kreimendahl, Chad J wrote: > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Salesman BS = Overflow > Detected"; pcre:"/turn[-\s]*key/i" classtype:"marketing-mumbojumbo"; > sid:55378008; rev:1;) Ugh. There are all sorts of issues with this rule.=20 1) First, salesman is sexist. =20 2) Second, not all sales people are into mumbojumbo, only idiots are into mumbojumbo. As such, we should clarify the message. 3) Third, I highly doubt sales people would be able to send raw TCP packets, nor would their target audience be listening for that, so make sure it is in a valid TCP stream 4) The classtype marketing-mumbojumbo is the wrong classtype. This rule = looks for a sales idiot, not a marketing idiot. You could get the wrong person fired with that classtype. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDIOT SALES PEOPLE BS = overflow attempt"; flow:established; content:"turn"; nocase; = pcre:"/turn[-\s]*?key/i" classtype:sales-mumbojumbo; sid:55378008; = rev:2;) There, much better. :) Brian ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=3D1356&al...438&op=3Dclick _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...=3Dsnort-users ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 12:57 PM.
