[Emerging-Sigs] ET uni-directional TCP "IP only" rules are a mistake
David.R.Wharton at regions.com
Wed Oct 19 12:43:47 EDT 2011
Thanks William. In my first email I gave the example of SID 2408002
which can be found in emerging-rbn-malvertisers.rules --
I agree with you that there are valuable uni-directional rules targeting
server responses. However, In the case of the ET "IP only" rules like
emerging-rbn-malvertisers.rules, none of them will fire if your $HOME_NET
IPs are not part of the RBN, malvertiser, etc. IPs specified in the rule.
This is because the rules are looking for the SYN flag inbound and only
the SYN flag. A server acting like a server is going to send a SYN-ACK
but never just a SYN flag.
Make sense? Perhaps I should have been clearer. The issue isn't just that
they are uni-directional, it is uni-directional inbound with 'flags:S;'.
Yes, sometimes you want this but most of the time for malvertising and C&C
communication, the $HOME_NET client is going to initiate the
From: William Salusky <william.salusky at teamaol.com>
To: <emerging-sigs at emergingthreats.net>
Date: 10/19/2011 11:23 AM
Subject: Re: [Emerging-Sigs] ET uni-directional TCP "IP only" rules
are a mistake
Sent by: emerging-sigs-bounces at emergingthreats.net
You didn't provide an example of which rule(s) you were referring, but
considering malvertising is a major issue I am involved in the
investigation of, there are indeed intentional uni-directional rules
that target server responses and should/would never fire on client ->
It's not a mistake if you know exactly what you are looking for.
On 10/19/11 12:04 PM, David.R.Wharton at regions.com wrote:
> The malvertising rules don't make sense being uni-directional in-bound
> way they are now since most connections to malvertisers are going to
> initiate from the client's browser. Similarly for the botcc rules.
> That said, a simple sed on emerging-rbn-malvertisers.rules,
> emerging-rbn.rules, emerging-botcc.rules, etc. will fix this so it is
> to deal with on my end; I just thought the global rules repos should be
> changed too.
> sed -i 's/flags:S;/flags:S+;/g'
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
Support Emerging Threats! Subscribe to Emerging Threats Pro
The ONLY place to get complete premium rulesets for Snort 2.4.0 through
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs