[Emerging-Sigs] Another unknown exploit kit

Joel Esler jesler at sourcefire.com
Tue Oct 11 13:36:31 EDT 2011


On Oct 11, 2011, at 12:04 PM, Martin Holste wrote:

>> Perhaps a flowbits rule may be a good idea like what Joel had said they're doing.
> 
> Ok, I think we're on the same page now.  I'm personally comfortable
> with having flowbits from one category necessary for another category,
> because it seems inevitable to me that generic traffic caught and set
> in a flowbit will be "policy" and will only become "trojan" if some
> other factor is encountered.  Since this will often be the case at a
> fundamental level, I think it accurately communicates the intent of
> the rules to have the cross-category dependencies.  That is, users
> should be aware that traffic that is initially benign can be found to
> be malicious later, and also that there may be separate value in
> recording the benign events for policy reasons.
> 
> One compromise might be to put a flag in the message for rules that
> set a flowbit like "ET POLICY ... *" so that human inspection can
> discern that the rule sets a flowbit.  That might be a bad idea for a
> variety of reasons, but the goal would be to make it easier to see why
> a rule would be included without having to open up the raw rule text.

One of the reasons that pulledpork is emphasized so much.  Resolution of flowbits.


More information about the Emerging-sigs mailing list