[Emerging-Sigs] 2012204 and 2011766 detect the same thing?

waldo kitty wkitty42 at windstream.net
Wed Oct 26 13:01:38 EDT 2011


emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN 
Modified Sipvicious Sundayddr Scanner"; content:"From|3A 20 22|sipsscuser|22|"; 
fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; 
reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; 
reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; 
sid:2012204; rev:3;)

emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN 
Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 
0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit, count 1, 
seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; 
reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; 
reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; 
sid:2011766; rev:5;)

both of these seem to be firing on the same traffic but they appear to be 
looking for different things... the MSG is also pretty much the same...

can we 1) get an explanation on the differences and why each is looking at what 
it is looking at?

2) if they are to be detecting the same thing, can they be combined or would 
that make the resulting rule too specific??



More information about the Emerging-sigs mailing list