[Emerging-Sigs] 2012204 and 2011766 detect the same thing?

waldo kitty wkitty42 at windstream.net
Wed Oct 26 15:02:26 EDT 2011


On 10/26/2011 14:37, Kevin Ross wrote:
> Nothing more than extra detection in case one thing is changed.

in that case, may i suggest that the MSG for 2012204 be adjusted to be closer in 
format to the one in 2011766?

2012204 msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)";
2011766 msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)";

>
> On 26 October 2011 18:01, waldo kitty <wkitty42 at windstream.net
> <mailto:wkitty42 at windstream.net>> wrote:
>
>
>     emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN
>     Modified Sipvicious Sundayddr Scanner"; content:"From|3A 20 22|sipsscuser|22|";
>     fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;
>     reference:url,code.google.com/p/sipvicious/
>     <http://code.google.com/p/sipvicious/>; reference:url,blog.sipvicious.org/
>     <http://blog.sipvicious.org/>;
>     reference:url,honeynet.org.au/?q=sunday_scanner
>     <http://honeynet.org.au/?q=sunday_scanner>; classtype:attempted-recon;
>     sid:2012204; rev:3;)
>
>     emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN
>     Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d
>     0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit, count 1,
>     seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner
>     <http://honeynet.org.au/?q=sunday_scanner>;
>     reference:url,code.google.com/p/sipvicious/
>     <http://code.google.com/p/sipvicious/>; reference:url,blog.sipvicious.org/
>     <http://blog.sipvicious.org/>;
>     reference:url,doc.emergingthreats.net/2011766
>     <http://doc.emergingthreats.net/2011766>; classtype:attempted-recon;
>     sid:2011766; rev:5;)
>
>     both of these seem to be firing on the same traffic but they appear to be
>     looking for different things... the MSG is also pretty much the same...
>
>     can we 1) get an explanation on the differences and why each is looking at what
>     it is looking at?
>
>     2) if they are to be detecting the same thing, can they be combined or would
>     that make the resulting rule too specific??


More information about the Emerging-sigs mailing list