[Emerging-Sigs] Another unknown exploit kit

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 06:21:57 EDT 2011


On Oct 10, 2011, at 8:06 PM, Nathan wrote:

> There is some value here on convention then; if a flowbit is set in one rule file but checked in another we can have issues in disparity.  Convention might should be setting and checking of a flowbit constrained to a singular rule file where possible.

We don't need flowbits if we're in the same rule. :) We have to use them to get across many packets in a stream, etc. 


> 
> Speaking relative to performance I have noted flowbit-only checks are performance degrading by a heavy margin, so much so that performance-wise checking the Java stuff per content match may actually be faster than a flowbit.  Think content:" Java/"; http_header; coupled with the intended match versus flowbit checking.
> 

Can't, in different packets. Unfortunately.

Well.. differences on different engines. Suri is better on flowbit only sigs. Suri also has global flowbits/flowvars coming shortly. So the behavior will diverge greatly soon.

> Perhaps we are inadvertently abusing flowbits, Joel any wisdom or insight here?
> 
> Nathan
> 
> On Oct 10, 2011, at 18:45, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:
> 
>> No, it turns out I'm missing the relevant emerging-policy rules to set
>> the flowbits. Enabling the whole lot will be problematic in a University
>> (staff are bad enough, but the students ...) so I better be selective!
>> 
>> Best Wishes,
>> Chris
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/368d40bb/smime.bin


More information about the Emerging-sigs mailing list