Re: Rules for catching kiddy porn surfers

Good idea, but I think the falses would be pretty high on the average 
net. On your own it's probably better.

We cover a lot of school nets and gov't social work typoes of places, so 
there'd be a ton of legitimate uses for the words.

But if we could add a second one to it, something like sex or maybe. 
Although that's too easily avoided.

Maybe the word free, or something. I'm not a kiddie porn kinda guy so I 
don't know what they'd be using as search terms there.

Ideas?

matt

Kalbfleisch, Gary wrote:
> Sorry if this has been addressed here before.  I am new to this list and 
> couldn't find anything on the subject.  I have added the following rules 
> to my system with some interesting results.  I occasionally get a few 
> false positives from these but each time I have seen a significant 
> volume of hits I have found evidence of surfers actively searching for 
> child pornography.
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHILDPORN 
> preteen"; content:"preteen"; nocase; flow:to_client,established; 
> classtype:child-porn; sid:1000000; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHILDPORN 
> pre-teen"; content:"pre-teen"; nocase; flow:to_client,established; 
> classtype:child-porn; sid:1000001; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHILDPORN 
> early teen"; content:"early teen"; nocase; flow:to_client,established; 
> classtype:child-porn; sid:1000002; rev:1;)
>
> -- Gary Kalbfleisch
> -- Director of Systems and Information Assurance
> -- Technology Support Services
> -- Shoreline Community College
> -- (206) 546-5813
> -- (206) 546-6943 Fax
>
>
>  
>
>  


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl