[Emerging-Sigs] IP Rules Direction

waldo kitty wkitty42 at windstream.net
Thu Oct 27 13:31:32 EDT 2011


On 10/27/2011 11:41, Matthew Jonkman wrote:
> So… we need to standardize on what we should do with the IP only rules, like the RBN and such. You can find them here:
>
> http://rules.emergingthreats.net/blockrules/
>
> The issues we need to decide for the RBN set:
>
> 1. They are uni-directional now, inbound. For all Snort platforms they're flags:S;, which will catch the sun. We may not generate an alert for an outbound connection if the remote end doesn't reply, or is blocked in the middle. So less than optimal.
>
> 2. I prefer they not be bi-directional, as it makes blocking decisions more reliable when they are uni-directional.
>
> Thoughts there?

while i agree with you, having them doubled in each uni-direction or going 
bi-directional gives one the notice that something inside their network is 
reaching out to one of those IPs... this is a big red flag in my book and i then 
go hunting to see what has gotten in and which machine(s) it has lodged itself in...

understanding that bi-directional is bad in that you don't know, without digging 
into the pcap, which direction the traffic was going, i'd vote for two sets of 
uni-direction rules... this way those who want one direction or the other or 
both can turn them on and off...

> In general, the IP sigs are uni-directional and looking for outbound connections. Depending on your environment that's not always the best. Bi-directional makes me nervous on applying blocks, especially for nets that watch traversing traffic, not just local.
>
> We could do multiple rulesets for in out and bi, but that can make things even more daunting for new folks implementing.

well, we've got inbound already... we only need outbound capability... so only 
one other set need be created... i would also suggest a slight file name 
alteration so that the rules file actually tells that it is in or out...

> So lets discuss and get to a decision, and get this set. What do folks think? Let me know privately or on the list here.
>
> Thanks!
>
> Matt


More information about the Emerging-sigs mailing list