[Emerging-Sigs] Properly handling dynamic IP rules (compromised, botcc, etc)

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 12 17:05:57 EDT 2010


We do need a better solution for this certainly...

Its going to be slightly different for each rule manager though. Essentially we need a way to delete rules over a certain sid if the rules sconstrict. 

Or we set a max number of rules and distribute the IPs across them all regardless of size....

Ideas?

matt


On Oct 11, 2010, at 11:15 AM, Korodev wrote:

>> Hmmm, good point there. If the list of ips decreases significantly then the end of the range rules are going to never update as a new rev will not be released.
> 
> Will there be any changes to the way the IP list rules are managed,
> updated, and distributed in the new ruleset?
> 
> Did we ever reach a solution on distributing IP's across a set number
> of rules to prevent sid'less alerts when the IP lists shrink? This
> seems like a good time to address these along with the current
> changes.
> 
> \\korodev


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list