[Emerging-Sigs] Another unknown exploit kit
nathan at packetmail.net
Mon Oct 10 20:06:36 EDT 2011
There is some value here on convention then; if a flowbit is set in one rule file but checked in another we can have issues in disparity. Convention might should be setting and checking of a flowbit constrained to a singular rule file where possible.
Speaking relative to performance I have noted flowbit-only checks are performance degrading by a heavy margin, so much so that performance-wise checking the Java stuff per content match may actually be faster than a flowbit. Think content:" Java/"; http_header; coupled with the intended match versus flowbit checking.
Perhaps we are inadvertently abusing flowbits, Joel any wisdom or insight here?
On Oct 10, 2011, at 18:45, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:
> No, it turns out I'm missing the relevant emerging-policy rules to set
> the flowbits. Enabling the whole lot will be problematic in a University
> (staff are bad enough, but the students ...) so I better be selective!
> Best Wishes,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs