My Bleeding Snort Rules Just Alerted Me to TERRORISM!
But I was reading a post at TaoSecurity, “How to Misuse an Intrusion Detection System:”
I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:
(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels) (washington|london|new york)
But such rules would trigger when I read Richard’s page, or when you read mine. Way to add to your
false positive worthless alert count, baby.
And thats not even considering that Al Qaeda uses simple codewords, like marriage, package, and transaction to discuss their activities. [Update: Then again, maybe they don’t. Read “Letters of the 1993 World Trade Center Bombers at the Counterterrorism blog. Not that that means looking for the word “jihad” in English is likely to be helpful.]