[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake
william.salusky at teamaol.com
Wed Oct 19 12:20:39 EDT 2011
You didn't provide an example of which rule(s) you were referring, but
considering malvertising is a major issue I am involved in the
investigation of, there are indeed intentional uni-directional rules
that target server responses and should/would never fire on client ->
It's not a mistake if you know exactly what you are looking for.
On 10/19/11 12:04 PM, David.R.Wharton at regions.com wrote:
> The malvertising rules don't make sense being uni-directional in-bound the
> way they are now since most connections to malvertisers are going to
> initiate from the client's browser. Similarly for the botcc rules.
> That said, a simple sed on emerging-rbn-malvertisers.rules,
> emerging-rbn.rules, emerging-botcc.rules, etc. will fix this so it is easy
> to deal with on my end; I just thought the global rules repos should be
> changed too.
> sed -i 's/flags:S;/flags:S+;/g'
More information about the Emerging-sigs