[Emerging-Sigs] Another unknown exploit kit

Nathan nathan at packetmail.net
Tue Oct 11 11:41:09 EDT 2011


On 10/11/11 09:28, Martin Holste wrote:
>> No, having the flowbit set and check across different files is meaningless.
>>  They work exactly the same.  All the rule files are cached into memory on
>> start up, so it really doesn't matter what file they are in.

Yeah, I'm with you here, I understand how flowbits works and reading the rules
files into memory... What I was pointing to is expecting folks to run ET POLICY
to drive a flowbit check in ET TROJAN/etc.

> Nathan, are you using PulledPork?  That will auto-enable dependent
> flowbit rules and kind of sounds like the issue you're having.  I'm
> assuming that you want rules that trigger a flowbit and the
> corresponding flowbit check rule to be in the same rule file because
> you are enabling/disabling by rule file name. PP allows you to not
> care; apologies if I'm misunderstanding and you're well aware of this
> PP feature.

Thanks for your reply Martin, I'm not having any issues I was more or less
commenting on Chris' scenario where it appears ET POLICY sets the flowbit used
in ET CURRENT_EVENTS or ET TROJAN which in my eyes may be bad from the aspect of
expecting folks to be using ET POLICY to drive coverage for ET TROJAN/ET
CURRENT_EVENTS.

Perhaps a flowbits rule may be a good idea like what Joel had said they're doing.

Thanks,
Nathan


More information about the Emerging-sigs mailing list