Re: Thresholds on Policy Rules

Jason wrote:
> > Yes, that is true, and those are the falses I hope to eliminate. I am 
> > tired of reading alerts about virginia, and stuff from WebMD. :) I 
> > would hope that this will slow those down, but they'll not eliminate 
> > it completely.
>
>
> I think the proper solution is to pass those alerts or suppress them 
> from valid sites.

Yes, but there are far too many real sources I think. Maybe we should 
consider then the idea of having one static word that is one prone to 
falses (lesbian, masturbation, anal, virgin, etc) and have a pcre in the 
same rule to make sure there's a more vulgar word in there. The anchor 
word would be the iffy factor and the vulgar one the more concrete that 
tells us this is pron and not virginia. I don't think it'd be too 
processor intensive a pcre statement.

> Here are some thoughts based on my 
> past experience with this problem.
>
> 1) detect uricontent only violations, better bang for the buck.
That's what we ought to do, I agree. We're only intending to get the 
huge violators, these will show withing that.

> 2) Look for cookies, sextracker is pretty common and sure to catch the 
> actual valid porn surfer.

That's a good idea. How so?
> 3) Use a proxy to cache data and then use sed/awk/grep/... to identify a 
> high likelihood of porn content and correlate that content with the logs 
> after determining a violation has occurred.
Ya, I agree that that's a better way. But not always feasible.


> An argument can be made that it does not belong in the official rules 
> unless it exploits a network vulnerability or detects traffic as a 
> result of exploiting a vulnerability. It is difficult to balance purpose 
> with need and have had this debate on several occasions. The end result 
> should be default value to the user and I think porn rules offer little 
> overall value.

I think we're approaching a religious argument there. :)

> > Can you elaborate on why you think the porn rules should be off by 
> > default?
>
>
> Not only off but not included. They should be an opt in not an opt out.
>
> My reasoning is that porn is not a threat, vulnerability, illegal, or 
> policy violation unless specifically defined as such. The inadvertent 
> viewing of porn by an analyst or knowledge that someone is viewing porn 
> has wide ranging political and professional implications. These 
> implications put things at risk both for the analyst and the person 
> setting off the alerts unless there is clear cause for the monitoring 
> and clearly documented procedures for acting on violations.

Valid points. And if Brian and crew think that's the case I wouldn't 
really argue that much. It's one of those things that draw us as 
security folks out of our element and make us use our toys for other 
things that dilute the value.

And besides, if they come out of the snort rules they'd have a welcome 
home at bleedingsnort. As would any wayward orphaned rule. :)

Thanks for the points Jason. You almost have me talked out of it. :)

Matt


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl