[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake

David.R.Wharton@regions.com David.R.Wharton at regions.com
Mon Oct 17 17:15:56 EDT 2011


Concerning the ET "IP only" rules like emerging-rbn.rules, 
emerging-rbn-malvertisers.rules, emerging-compromised.rules , etc. 
(technically, the versions written for Snort are not true IP rules but are 
split into separate TCP and UDP rules since performance is better in that 
case and Snort does not seem to be able to handle true IP only rules as 
well as Suricata), in regard to the TCP rules written for Snort, recently 
there has been some changes from bi-direction to uni-directional rules. 
For example, 2408002 used to be:

alert tcp 168.75.207.0/24 any <> $HOME_NET any ... flags:S; ...

but now it is:

alert tcp 168.75.207.0/24 any -> $HOME_NET any ... flags:S; ...

The problem is that with the uni-directional rules, you are only going to 
alert on the initial inbound (to $HOME_NET) TCP packet from a client (the 
SYN packet) and not the SYN-ACK response from a server or a client 
connection initiating from any (including $HOME_NET) to !$HOME_NET.  So if 
you have $HOME_NET configured (not set to 'any'), this does not make sense 
for things like emerging-rbn-malvertisers.rules since most of these are 
going to be connections initiating from $HOME_NET to !$HOME_NET 
($EXTERNAL_NET).

I propose we go back to the bi-directional rules or change 'flags:S;' to 
'flags:S+;'.

Make sense?

-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111017/d5882541/attachment.html


More information about the Emerging-sigs mailing list