[Emerging-Sigs] Another unknown exploit kit

Martin Holste mcholste at gmail.com
Tue Oct 11 12:04:34 EDT 2011

> Perhaps a flowbits rule may be a good idea like what Joel had said they're doing.

Ok, I think we're on the same page now.  I'm personally comfortable
with having flowbits from one category necessary for another category,
because it seems inevitable to me that generic traffic caught and set
in a flowbit will be "policy" and will only become "trojan" if some
other factor is encountered.  Since this will often be the case at a
fundamental level, I think it accurately communicates the intent of
the rules to have the cross-category dependencies.  That is, users
should be aware that traffic that is initially benign can be found to
be malicious later, and also that there may be separate value in
recording the benign events for policy reasons.

One compromise might be to put a flag in the message for rules that
set a flowbit like "ET POLICY ... *" so that human inspection can
discern that the rule sets a flowbit.  That might be a bad idea for a
variety of reasons, but the goal would be to make it easier to see why
a rule would be included without having to open up the raw rule text.

More information about the Emerging-sigs mailing list