[Oisf-users] [Emerging-Sigs] More "Unknown type of Driveby Sigs"
Victor Julien
victor at inliniac.net
Fri Nov 25 23:50:25 UTC 2011
On 11/25/2011 08:47 PM, Kevin Ross wrote:
> actually that just gave me an idea for something that could be put into
> Suricata and that is the option to set a flowbit in a kind of noalert state
> for the second stage and then only if the second stage fires then an alert
> is generated for the noalert type sig. That means in this case we would be
> able to suppress noisy FP sigs but we then consider the second part (the
> download) to be indicative of an exploit kit and so we may want to generate
> an alert for the first part only if confirmed. So it is a noalert unless
> the next sig fires then alert on this too.
This would be achieved by having both rules set a flowbit and then have
a third rule check for both bits, right?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list