Educause Security Discussion mailing list archives
Emerging Threat compromised rules
From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Wed, 21 Jan 2009 09:25:37 -0500
Good morning, I was looking thru the SNORT ET rules (emerging-compromised.rules) and saw that they were written in the form of: alert ip [ LIST OF BOGUS IPs HERE ] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic (5)"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500004; rev:1397;) My question is, why [ IPs ] any -> $HOME_NET any ... why not $HOME_NET any -> [ IPs ] any ? Does the order "into my network" versus "out of my network" buy me anything other than the obvious -- forewarned is forearmed? I do get alot of false positives from these sigs because inbound mail, mostly. PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (office) (413) 822-2922 (cell)
Current thread:
- Emerging Threat compromised rules Peter Charbonneau (Jan 21)