Shostack + Friends Blog Archive


My Bleeding Snort Rules Just Alerted Me to TERRORISM!

Err, no.

But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:”

I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:

(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels)
(washington|london|new york)

But such rules would trigger when I read Richard’s page, or when you read mine. Way to add to your false positive worthless alert count, baby.

And thats not even considering that Al Qaeda uses simple codewords, like marriage, package, and transaction to discuss their activities. [Update: Then again, maybe they don’t. Read “Letters of the 1993 World Trade Center Bombers at the Counterterrorism blog. Not that that means looking for the word “jihad” in English is likely to be helpful.]

4 comments on "My Bleeding Snort Rules Just Alerted Me to TERRORISM!"

  • Justin Mason says:

    wow, that’s moronic. reminds me of one reason we moved the SpamAssassin mailing lists off — their half-baked antispam rules kept blocking our discussions of antispam techniques 😉

  • Justin Mason says:

    oh, I should mention — this is a good demo of the value of deriving rules from the data you want to catch, not from an abstract notion of what you *should* look for…

  • Chris Walsh says:

    Real patriots use Snort-inline to eliminate the terrorist threat!
    “The Parrot dines at midnight!”

  • David Brodbeck says:

    Reminds me of how people used to put blocks of suspicious-looking words in USENET sigs, with the idea of making any NSA keyword-monitoring systems useless due to false positives.
    (See also:

Comments are closed.