[Emerging-Sigs] 2012204 and 2011766 detect the same thing?

Kevin Ross kevross33 at googlemail.com
Wed Oct 26 14:37:10 EDT 2011


Nothing more than extra detection in case one thing is changed.

On 26 October 2011 18:01, waldo kitty <wkitty42 at windstream.net> wrote:

>
> emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET
> SCAN
> Modified Sipvicious Sundayddr Scanner"; content:"From|3A 20
> 22|sipsscuser|22|";
> fast_pattern:only; threshold: type limit, count 1, seconds 60, track
> by_src;
> reference:url,code.google.com/p/sipvicious/; reference:url,
> blog.sipvicious.org/;
> reference:url,honeynet.org.au/?q=sunday_scanner;
> classtype:attempted-recon;
> sid:2012204; rev:3;)
>
> emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET
> SCAN
> Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d
> 0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit,
> count 1,
> seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner;
> reference:url,code.google.com/p/sipvicious/; reference:url,
> blog.sipvicious.org/;
> reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon;
> sid:2011766; rev:5;)
>
> both of these seem to be firing on the same traffic but they appear to be
> looking for different things... the MSG is also pretty much the same...
>
> can we 1) get an explanation on the differences and why each is looking at
> what
> it is looking at?
>
> 2) if they are to be detecting the same thing, can they be combined or
> would
> that make the resulting rule too specific??
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111026/f8711a53/attachment.html


More information about the Emerging-sigs mailing list