[Emerging-Sigs] IP Rules Direction

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 27 11:41:26 EDT 2011

So… we need to standardize on what we should do with the IP only rules, like the RBN and such. You can find them here:


The issues we need to decide for the RBN set:

1. They are uni-directional now, inbound. For all Snort platforms they're flags:S;, which will catch the sun. We may not generate an alert for an outbound connection if the remote end doesn't reply, or is blocked in the middle. So less than optimal.

2. I prefer they not be bi-directional, as it makes blocking decisions more reliable when they are uni-directional.

Thoughts there?

In general, the IP sigs are uni-directional and looking for outbound connections. Depending on your environment that's not always the best. Bi-directional makes me nervous on applying blocks, especially for nets that watch traversing traffic, not just local. 

We could do multiple rulesets for in out and bi, but that can make things even more daunting for new folks implementing. 

So lets discuss and get to a decision, and get this set. What do folks think? Let me know privately or on the list here. 



Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list