[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake

Nathan nathan at packetmail.net
Wed Oct 19 12:43:57 EDT 2011

On Wed, 19 Oct 2011 11:52:44 -0400 Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote

> I'll make available what you all like. More versions I feel may make it a
> more confusing to the beginning suricata/snort user (and we certainly have
> things difficult enough as is). But it's possible. 
> Thoughts?

I think for ET RBN Malvertising it makes sense that the direction should be
ingress, but this won't be ingress SYN, which is what is currently set.  

Looking at
I think the direction is wrong.  Would I not want to see egress SYN sourced

For ET RBN, I think we should be bi-directional.  That is, looking at both
ingress and egress SYN from ET RBN.  I want to see compromised boxes calling
out to known hostile hosts while conversely being able to detect known hostile
IPs connecting to me.  Looking at
I am missing $HOME_NET -> !$HOME_NET/$EXTERNAL_NET entirely.  I have no
visibility for compromised boxes connecting to known hostile ranges. 
Historically this has been a great resource of data for identifying unknown
checkin or infected assets.

The above also applies to known compromised at

BotCC appears correct as to what I would believe it should be.

While I agree that everyone is likely to use these rules differently, I

ET Malvertising: $HOME_NET -> $EXTERNAL_NET flags:S
Known Compromised:  $HOME_NET <-> $EXTERNAL_NET flags:S
BotCC: Leave as-is

Thoughts?  It seems currently we are missing $HOME_NET calling out to ET RBN
destinations which is as I understand it a grave lapse in detection.


More information about the Emerging-sigs mailing list