[Emerging-Sigs] 2012204 and 2011766 detect the same thing?

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 26 15:22:14 EDT 2011


They are different detections, one is hitting the default from the tool uses, and one for the UA it commonly uses. 

MSG's can be changed, what would you suggest? I don't want to make them identical as they're different issues…

Matt


On Oct 26, 2011, at 3:02 PM, waldo kitty wrote:

> On 10/26/2011 14:37, Kevin Ross wrote:
>> Nothing more than extra detection in case one thing is changed.
> 
> in that case, may i suggest that the MSG for 2012204 be adjusted to be closer in 
> format to the one in 2011766?
> 
> 2012204 msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)";
> 2011766 msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)";
> 
>> 
>> On 26 October 2011 18:01, waldo kitty <wkitty42 at windstream.net
>> <mailto:wkitty42 at windstream.net>> wrote:
>> 
>> 
>>    emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN
>>    Modified Sipvicious Sundayddr Scanner"; content:"From|3A 20 22|sipsscuser|22|";
>>    fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;
>>    reference:url,code.google.com/p/sipvicious/
>>    <http://code.google.com/p/sipvicious/>; reference:url,blog.sipvicious.org/
>>    <http://blog.sipvicious.org/>;
>>    reference:url,honeynet.org.au/?q=sunday_scanner
>>    <http://honeynet.org.au/?q=sunday_scanner>; classtype:attempted-recon;
>>    sid:2012204; rev:3;)
>> 
>>    emerging-scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN
>>    Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d
>>    0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit, count 1,
>>    seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner
>>    <http://honeynet.org.au/?q=sunday_scanner>;
>>    reference:url,code.google.com/p/sipvicious/
>>    <http://code.google.com/p/sipvicious/>; reference:url,blog.sipvicious.org/
>>    <http://blog.sipvicious.org/>;
>>    reference:url,doc.emergingthreats.net/2011766
>>    <http://doc.emergingthreats.net/2011766>; classtype:attempted-recon;
>>    sid:2011766; rev:5;)
>> 
>>    both of these seem to be firing on the same traffic but they appear to be
>>    looking for different things... the MSG is also pretty much the same...
>> 
>>    can we 1) get an explanation on the differences and why each is looking at what
>>    it is looking at?
>> 
>>    2) if they are to be detecting the same thing, can they be combined or would
>>    that make the resulting rule too specific??
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list