[Emerging-Sigs] Another unknown exploit kit

Nathan nathan at packetmail.net
Tue Oct 11 09:47:59 EDT 2011

On 10/11/11 05:21, Matthew Jonkman wrote:
> On Oct 10, 2011, at 8:06 PM, Nathan wrote:
>> There is some value here on convention then; if a flowbit is set in one rule file but checked in another we can have issues in disparity.  Convention might should be setting and checking of a flowbit constrained to a singular rule file where possible.
> We don't need flowbits if we're in the same rule. :) We have to use them to get across many packets in a stream, etc.

I know that :)  What I mean is if we're setting a Java flowbit in
emerging-policy.rules that is used in emerging-trojan.rules or
emerging-current_events.rules then we've created some disparity by having a
policy rule setting a flowbit used by ET TROJAN or ET CURRENT_EVENTS.

Make sense?   I think that's what happened in Chris' case (correct me if I'm wrong)

Chris said:

"No, it turns out I'm missing the relevant emerging-policy rules to set
the flowbits. Enabling the whole lot will be problematic in a University
(staff are bad enough, but the students ...) so I better be selective!"


More information about the Emerging-sigs mailing list