[Emerging-Sigs] Another unknown exploit kit

Martin Holste mcholste at gmail.com
Tue Oct 11 10:28:30 EDT 2011

> No, having the flowbit set and check across different files is meaningless.
>  They work exactly the same.  All the rule files are cached into memory on
> start up, so it really doesn't matter what file they are in.

Nathan, are you using PulledPork?  That will auto-enable dependent
flowbit rules and kind of sounds like the issue you're having.  I'm
assuming that you want rules that trigger a flowbit and the
corresponding flowbit check rule to be in the same rule file because
you are enabling/disabling by rule file name. PP allows you to not
care; apologies if I'm misunderstanding and you're well aware of this
PP feature.

More information about the Emerging-sigs mailing list