[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake

Nathan nathan at packetmail.net
Wed Oct 19 12:43:57 EDT 2011


On Wed, 19 Oct 2011 11:52:44 -0400 Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote

> I'll make available what you all like. More versions I feel may make it a
bit
> more confusing to the beginning suricata/snort user (and we certainly have
> things difficult enough as is). But it's possible. 
>
> Thoughts?

I think for ET RBN Malvertising it makes sense that the direction should be
ingress, but this won't be ingress SYN, which is what is currently set.  

Looking at
http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-rbn-malvertisers.rules
I think the direction is wrong.  Would I not want to see egress SYN sourced
from $HOME_NET to !$HOME_NET/$EXTERNAL_NET?

For ET RBN, I think we should be bi-directional.  That is, looking at both
ingress and egress SYN from ET RBN.  I want to see compromised boxes calling
out to known hostile hosts while conversely being able to detect known hostile
IPs connecting to me.  Looking at
http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-rbn.rules
I am missing $HOME_NET -> !$HOME_NET/$EXTERNAL_NET entirely.  I have no
visibility for compromised boxes connecting to known hostile ranges. 
Historically this has been a great resource of data for identifying unknown
checkin or infected assets.

The above also applies to known compromised at
http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-compromised.rules

BotCC appears correct as to what I would believe it should be.

While I agree that everyone is likely to use these rules differently, I
suggest:

ET Malvertising: $HOME_NET -> $EXTERNAL_NET flags:S
ET RBN: $HOME_NET <-> $EXTERNAL_NET flags:S
Known Compromised:  $HOME_NET <-> $EXTERNAL_NET flags:S
BotCC: Leave as-is

Thoughts?  It seems currently we are missing $HOME_NET calling out to ET RBN
destinations which is as I understand it a grave lapse in detection.

Thanks,
Nathan



More information about the Emerging-sigs mailing list