Snort doesn't detect everything.

[RobinVossen]

Hello,

At our University we've got a Security Lab that has total access to the internet. And the University network administrators have no maintenance in our lab at all.

Thus we have been asked to setup a snort server. We've connected the snort server to the SPAN-Port of the Switch and have configured it to detect porn. As the only thing the University is really scared of is to host porn.

Well we configured it so that we should detect the most porn.

Code:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;)

To test we wget'd bdsm dot com. And it worked.
Then we tried bdsm dot nl (Dutch) and it didn't work. Nor did googleing for bdsm or checking wikipedia for this.

It's a debian box that has the Vanilla porn rules enabled.
The only thing I can imagine what I am missing is gzip support.
Although when we remove the flowto part it does work.
Does anyone know anything we might have overlooked in Snort for this setup. Is gzip seriously the problem? As when flowto is removed it works and it's driving us (essentially me) nuts.

Thanks

[Mudgen]

Your mission and what you're trying to do look to be at odds. Your employer is worried about hosting porn, and you're trying to detect the retrieval of it from outside hosts. Am I missing something? There are lots of ways to get porn on your hosts other than retrieving it from outside hosts directly. Are you also taking countermeasures for content on your hosts introduced by other means?

In any case, no matter what you do, snort is not going to detect everything. Appliances with a heuristic approach and access to broad-based trends, like Bluecoat proxies, will do a better, but still not foolproof, job.

[RobinVossen]

Well, hosting and receiving. We know that there are ways to get around this. But that's not really a problem.
Since when you put a image or movie in an encrypted archive and call the archive "my_little_bunny.png" no system at all can detect it.

The systems that are connected to our network are Student laptops and thus we can't put software on them.

Bluecoat isn't a solution as the Budget for this project is <$0. (heh).
I've already written a little app to detect skin in pictures or movies that are downloaded.
That app will also detect photos of loads of people. As there is a lot of skin.
Nothing is foolproof. We just want to setup snort (and some other software). To detect it when its happening. But not stop it.

Cheers,
Robin

[PhilB]

That app will also detect photos of loads of people. As there is a lot of skin.

Robin,

Sounds as if you are making a huge rod for your own back. I know of one university which implemented skin tone detection. Worked very well, but upset their agriculture department as it excluded images of pigs. Would probably exclude images of interest to fine arts departments too. However, the technology might have improved since then.

Have you reconciled your approach with your university IT regulations and any relevant national legislation?

I don't know where you are but here in the UK we are constrained by the Regulation of Investigatory Powers Act which makes it a criminal offence to 'snoop' on traffic unless you have said you will do so beforehand.

I'm retired now but our approach was along the lines of:

"thou shalt not ..."
"We do not examine traffic or stored data unless there is a malfunction, disruptive traffic levels or if required for audit or by law enforcement agencies".

Either way, best wishes.

Phil

[tdsan]

I am in agreement with the other responder, Bluecoat has a much nicer interface and it comes in different sizes, suitable for your organization.

There is also another appliance called PaloAlto Firewall, this not only filters, reports on porn sites but it gives the user various options and if the user is looking at porn on different ports, it is able to scan the content for that information as well. It comes in a very small sizes similar to Bluecoat.

tdsan

[RobinVossen]

"thou shalt not ..."
"We do not examine traffic or stored data unless there is a malfunction, disruptive traffic levels or if required for audit or by law enforcement agencies".

This is only for a small section in the University network. The so called "security lab".
When you plug a cable in the segment you can do ANYTHING. This includes attacking other students etc etc. It's meant for a free to roam the network.
The issue was that since of this huge freedom there was a good chance that it could be set up as a porn hub.

We figured how to do this with snort and my own tool.
It's not as nice as the one done at the other university. Since some test files get through and family pictures get detected but it's the that big of an issue as it's really just for the proof of concept.

Thanks
Robin