[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake

William Salusky william.salusky at teamaol.com
Wed Oct 19 12:20:39 EDT 2011

You didn't provide an example of which rule(s) you were referring, but
considering malvertising is a major issue I am involved in the
investigation of, there are indeed intentional uni-directional rules
that target server responses and should/would never fire on client ->
server requests. 

It's not a mistake if you know exactly what you are looking for.


On 10/19/11 12:04 PM, David.R.Wharton at regions.com wrote:
> The malvertising rules don't make sense being uni-directional in-bound the 
> way they are now since most connections to malvertisers are going to 
> initiate from the client's browser.  Similarly for the botcc rules.
> That said, a simple sed on emerging-rbn-malvertisers.rules, 
> emerging-rbn.rules, emerging-botcc.rules, etc. will fix this so it is easy 
> to deal with on my end; I just thought the global rules repos should be 
> changed too.
> sed -i 's/flags:S;/flags:S+;/g'

More information about the Emerging-sigs mailing list