How to Misuse an Intrusion Detection System

I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:

(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels)

(washington|london|new york)

Here is part of my reply to the Bleeding-Sigs thread.

These rules are completely inappropriate.

First, there is no digital security aspect of these rules, so the "provider exception" of the wiretap act is likely nullified. Without obtaining consent from the end users (and thereby protection under the "consent exception"), that means the IDS is conducting a wiretap. The administrator could go to jail, or at least expose himself and his organization to a lawsuit from an intercepted party.

Second, the manner in which most people deploy Snort would not yield much insight regarding why these rules triggered. At best a normal Snort user would get a packet containing content that caused Snort to alert. That might be enough to determine no real "terrorism" is involved, but it might also be enough to begin an "investigation" that stands on dubious grounds due to my first point.

Third, does anyone think real terrorists use any of the words listed in the rules? If anyone does, they have no experience with the counter-terrorism world.

An IDS should be used to provide indicators of security incidents. Otherwise, it becomes difficult to justify its operation, legally and ethically.

Unfortunately, I saw both rules (at least commented out) in the latest bleeding ruleset.

What do you think?


Anonymous said…
I totally agre with you!
Anonymous said…
Hi Richard, thanks for commenting on this, and thanks for agreeing with me! I put up a entry on my website on this the other day.

Sadly, I have gotten a few e-mails asking me if I support terror groups after I posted to the list complaining that the rule is a bad idea. Hopefully you won't get the same.

You are 100% right on this. Thanks for raising awareness on this.
Joao Barros said…
Looking at the rule and the comment on it "Terrorist Rule" and the rule name "Possible Terrorism Related Content" it would almost be funny if it wasn't true, and so vague in it's definition: is it a terrorist website claiming responsibility for the act? is it a news website? or like Jim's example on his blog, a simple, inocent email?!

Those "terrorist rules" per se are vague and allow me just plain stupid. Maybe in some weird context it makes sense to the author.

PS: Jim, those people asking if you support terrorist groups...did I mention stupid before? ;)
Anonymous said…
This just proves we have idiots on both sides of the fence. We're relying on you Richard to straighten them out...


Anonymous said…
I know a parent who installed monitoring software on his 11 yr old daughter's triggers on certain keywords. She uses the keywords, but doesn't spell them correctly...

If an 11 yr old can figure out how to get past simple filters just to communicate with another 11 yr old, what makes someone think that someone out to take innocent lives is going to spell out "Washington, DC" or "London".

Come on! Whomever wrote those rules has way too much time on their hands...and not enough of that time is spent in the real world. You should have taken the blue pill!!

H. Carvey
"Windows Forensics and Incident Recovery"
Anonymous said…
My IDS just sent me an alert saying that this blog is associated with terrorism. Drat... yet another false positive. ;)
Anonymous said…
Agreed. Those filters will just as easily trigger on a New York Times article, for crying out loud.
Anonymous said…
Content filtering is a legitimate activity for companies concerned about the legal ramifications of pornography or other inappropriate content.

But this isn't content filtering - it's content alerting. Filtering for words that commonly appear in the news seems like a way to keep someone busy chasing "events" and exposing the company to legal liabilities for wiretapping.
Anonymous said…
Does anyone really believe that Islamic extremists who hate the West use English for any communication...
Anonymous said…
Paranoia. What else could I say? Besides, that´s a kind of wiretrap as Richard pointed out.

Bleeding Snort rules are *VERY* useful, but it's also useful to keep an eye on what´s new. You can do it with Oinkmaster [1] or through RSS:

Syndication Feeds

The rules in question are under bleeding-policy.rules [2] individual ruleset. I would also recommend implementing individual rulesets, not bleeding-all.rules [3].


Ronaldo C Vasconcellos

Security Incidents Response Center
Brazilian Research and Academic Network

[1] Oinkmaster

[2] bleeding-policy.rules

[3] bleeding-all.rules
Anonymous said…
Doh! My IDS is going crazy eith these alerts! I must have terrorists on our IDS! Call Rumsfeld!

Note: This is a joke. This is not real.
Anonymous said…
Maybe using snort-inline or a similar tool to rewrite the content would be even better! Imagine how frustrated the freedom-haters would be when, instead of "Death to America", their terrorist email says "I enjoy baseball and television sitcoms!"

On second thought, maybe we should leave the keyword stuff to the NSA ;^)
Anonymous said…
This is like looking for hacker activity by looking for strings like (hacker|buffer overflow|r00t|pwn3d), plus they're going to tear your sensor a new snorthole due to using unqualified PCRE rules (no content matches in the rules). And it's matching on server-side HTTP and client-side SMTP traffic, likely to be a very large amount of data in many networks.

There's a lot to not like here...
Anonymous said…
These rules will prove invaluable in the War on Terrorist Stereotypes.
Those wondering about the legal issues of monitoring may find this article interesting.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics