How to Misuse an Intrusion Detection System

I was dismayed to see the following thread in the bleeding-sigs mailing list recently. Essentially someone suggested using PCRE to look for this content on Web pages and email:

(jihad |al Qaida|allah|destroy|kill americans|death|attack|infidels)

(washington|london|new york)

Here is part of my reply to the Bleeding-Sigs thread.

These rules are completely inappropriate.

First, there is no digital security aspect of these rules, so the "provider exception" of the wiretap act is likely nullified. Without obtaining consent from the end users (and thereby protection under the "consent exception"), that means the IDS is conducting a wiretap. The administrator could go to jail, or at least expose himself and his organization to a lawsuit from an intercepted party.

Second, the manner in which most people deploy Snort would not yield much insight regarding why these rules triggered. At best a normal Snort user would get a packet containing content that caused Snort to alert. That might be enough to determine no real "terrorism" is involved, but it might also be enough to begin an "investigation" that stands on dubious grounds due to my first point.

Third, does anyone think real terrorists use any of the words listed in the rules? If anyone does, they have no experience with the counter-terrorism world.

An IDS should be used to provide indicators of security incidents. Otherwise, it becomes difficult to justify its operation, legally and ethically.

Unfortunately, I saw both rules (at least commented out) in the latest bleeding ruleset.

What do you think?