[Emerging-Sigs] IP Rules Direction

Martin Holste mcholste at gmail.com
Thu Oct 27 12:02:51 EDT 2011


We are not running inline and are concerned with outbound in general,
but inbound on successful TCP (helps highlight SQLi and successful
port scans).  I would also toss out the idea for an RBN ruleset with
thresholds for only connections with a certain amount of bytes or
packets which might trim some of the noise.

On Thu, Oct 27, 2011 at 10:41 AM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> So… we need to standardize on what we should do with the IP only rules, like the RBN and such. You can find them here:
>
> http://rules.emergingthreats.net/blockrules/
>
> The issues we need to decide for the RBN set:
>
> 1. They are uni-directional now, inbound. For all Snort platforms they're flags:S;, which will catch the sun. We may not generate an alert for an outbound connection if the remote end doesn't reply, or is blocked in the middle. So less than optimal.
>
> 2. I prefer they not be bi-directional, as it makes blocking decisions more reliable when they are uni-directional.
>
> Thoughts there?
>
>
> In general, the IP sigs are uni-directional and looking for outbound connections. Depending on your environment that's not always the best. Bi-directional makes me nervous on applying blocks, especially for nets that watch traversing traffic, not just local.
>
> We could do multiple rulesets for in out and bi, but that can make things even more daunting for new folks implementing.
>
> So lets discuss and get to a decision, and get this set. What do folks think? Let me know privately or on the list here.
>
> Thanks!
>
> Matt
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list