[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake

David.R.Wharton@regions.com David.R.Wharton at regions.com
Wed Oct 19 12:43:47 EDT 2011

Thanks William.   In my first email I gave the example of SID 2408002 
which can be found in emerging-rbn-malvertisers.rules -- 

I agree with you that there are valuable uni-directional rules targeting 
server responses.  However, In the case of the ET "IP only" rules like 
emerging-rbn-malvertisers.rules, none of them will fire if your $HOME_NET 
IPs are not part of the RBN, malvertiser, etc. IPs specified in the rule. 
This is because the rules are looking for the SYN flag inbound and only 
the SYN flag.  A server acting like a server is going to send a SYN-ACK 
but never just a SYN flag.

Make sense? Perhaps I should have been clearer.  The issue isn't just that 
they are uni-directional, it is uni-directional inbound with 'flags:S;'. 
Yes, sometimes you want this but most of the time for malvertising and C&C 
communication, the $HOME_NET client is going to initiate the 


From:   William Salusky <william.salusky at teamaol.com>
To:     <emerging-sigs at emergingthreats.net>
Date:   10/19/2011 11:23 AM
Subject:        Re: [Emerging-Sigs] ET uni-directional TCP "IP only" rules 
are a mistake
Sent by:        emerging-sigs-bounces at emergingthreats.net

You didn't provide an example of which rule(s) you were referring, but
considering malvertising is a major issue I am involved in the
investigation of, there are indeed intentional uni-directional rules
that target server responses and should/would never fire on client ->
server requests. 

It's not a mistake if you know exactly what you are looking for.


On 10/19/11 12:04 PM, David.R.Wharton at regions.com wrote:
> The malvertising rules don't make sense being uni-directional in-bound 
> way they are now since most connections to malvertisers are going to 
> initiate from the client's browser.  Similarly for the botcc rules.
> That said, a simple sed on emerging-rbn-malvertisers.rules, 
> emerging-rbn.rules, emerging-botcc.rules, etc. will fix this so it is 
> to deal with on my end; I just thought the global rules repos should be 
> changed too.
> sed -i 's/flags:S;/flags:S+;/g'

Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net

Support Emerging Threats! Subscribe to Emerging Threats Pro 
The ONLY place to get complete premium rulesets for Snort 2.4.0 through 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111019/0fcb1858/attachment-0001.html

More information about the Emerging-sigs mailing list