Re: Rules for catching kiddy porn surfers

I definitely agree there. But it's not an option in all nets unfortunately.

We use the existing porn rules to just catch major offenses on nets we 
cover that don't/can't/don't want to/ proxy and filter. They're pretty 
effective there. The intelligent p*rn surfer can sometimes get in under 
the radar, but if you're doing so at work under threat of termination 
you're probably not the intelligent one we're looking for. :)

And as was previously mentioned, you need to be sure you have a zero 
privacy expectation statement in your acceptable use policy.

The terms for the child porn are just too generic alone I think. The 
terms for the existing porn rules are very specific and shouldn't ever 
occur in normal and acceptable business communication. Not the case in 
the preteen rules.

But putting more thought into those: if you wanted to be able to quickly 
identify that a porn violation posibly included under-18 (and thus VERY 
illegal) content maybe we could put up rules with the preteen terms and 
a pcre for some of the existing porn terms. Something like:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"Possible 
Pre-teen P*rn"; content:"preteen"; nocase; within:40; 
pcre:"m/f*ck|r*pe|b*sm|wh*re|/"; sid:; rev:1:)

(obfuscated to avoid getting 100 replys from bad spam/content filters)

The idea being that preteen is an acceptable word unless in close 
proximity to another unacceptable one.

Anyone see issues with this?

The best bet is to not use IDS for porn, but sometimes it's the only 
tool available.

Matt




twebster@xxxxxxxxxxx wrote:
> Snort can certainly detect porn and child porn traffic but as stated
> earlier there will be tons of false positives and I believe even more sites
> that will get past snort.   I believe using a web filtering product like
> Dansguardian is much better suited for this purpose.  www.dansguardian.org
>
> DansG will give a much more accurate picture of your internet traffic.  You
> could either set it up to simply log or actively block porn sites.
>
> Tony
>
> snort-sigs-admin@xxxxxxxxxxxxxxxxxxxxx wrote on 10/11/2004 07:17:21 PM:
>
>
> > :: But if we could add a second one to it, something like sex or maybe.
> > :: Although that's too easily avoided.
> > ::
> > :: Maybe the word free, or something. I'm not a kiddie porn kinda guy so
>
> I
>
> > :: don't know what they'd be using as search terms there.
> >
> > Just a word of advice, not that I'm against catching these people, but
>
> make
>
> > sure you're allowed to monitor for this sort of activity first.  I'd
> > actually get something in writing from your HR team before you started
> > doing this sort of stuff.
> >
> > Okay, going back to lurking now...
> >
> > Cheers - Erick
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> > Use IT products in your business? Tell us what you think of them. Give us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>
> more
>
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl