[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake
nathan at packetmail.net
Wed Oct 19 12:43:57 EDT 2011
On Wed, 19 Oct 2011 11:52:44 -0400 Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote
> I'll make available what you all like. More versions I feel may make it a
> more confusing to the beginning suricata/snort user (and we certainly have
> things difficult enough as is). But it's possible.
I think for ET RBN Malvertising it makes sense that the direction should be
ingress, but this won't be ingress SYN, which is what is currently set.
I think the direction is wrong. Would I not want to see egress SYN sourced
from $HOME_NET to !$HOME_NET/$EXTERNAL_NET?
For ET RBN, I think we should be bi-directional. That is, looking at both
ingress and egress SYN from ET RBN. I want to see compromised boxes calling
out to known hostile hosts while conversely being able to detect known hostile
IPs connecting to me. Looking at
I am missing $HOME_NET -> !$HOME_NET/$EXTERNAL_NET entirely. I have no
visibility for compromised boxes connecting to known hostile ranges.
Historically this has been a great resource of data for identifying unknown
checkin or infected assets.
The above also applies to known compromised at
BotCC appears correct as to what I would believe it should be.
While I agree that everyone is likely to use these rules differently, I
ET Malvertising: $HOME_NET -> $EXTERNAL_NET flags:S
ET RBN: $HOME_NET <-> $EXTERNAL_NET flags:S
Known Compromised: $HOME_NET <-> $EXTERNAL_NET flags:S
BotCC: Leave as-is
Thoughts? It seems currently we are missing $HOME_NET calling out to ET RBN
destinations which is as I understand it a grave lapse in detection.
More information about the Emerging-sigs