[Emerging-Sigs] Another unknown exploit kit

Nathan nathan at packetmail.net
Mon Oct 10 20:06:36 EDT 2011


There is some value here on convention then; if a flowbit is set in one rule file but checked in another we can have issues in disparity.  Convention might should be setting and checking of a flowbit constrained to a singular rule file where possible.

Speaking relative to performance I have noted flowbit-only checks are performance degrading by a heavy margin, so much so that performance-wise checking the Java stuff per content match may actually be faster than a flowbit.  Think content:" Java/"; http_header; coupled with the intended match versus flowbit checking.

Perhaps we are inadvertently abusing flowbits, Joel any wisdom or insight here?

Nathan

On Oct 10, 2011, at 18:45, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:

> No, it turns out I'm missing the relevant emerging-policy rules to set
> the flowbits. Enabling the whole lot will be problematic in a University
> (staff are bad enough, but the students ...) so I better be selective!
> 
> Best Wishes,
> Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111010/b196e575/attachment-0001.html


More information about the Emerging-sigs mailing list