[Emerging-Sigs] Rule dupe, well msg anyway. Is that allowed?

James Lay jlay at slave-tothe-box.net
Wed Dec 12 07:07:30 HAST 2012


On 2012-12-12 09:36, Giles Coochey wrote:
> On 12/12/2012 16:34, Will Metcalf wrote:
>> Sure :) sid differs...
> Content clause differs too...
>>
>> On Wed, Dec 12, 2012 at 10:33 AM, Paul Halliday 
>> <paul.halliday at gmail.com> wrote:
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE
>>> Possible Call with No Offset TCP Shellcode"; flow:established;
>>> content:"|E8 00 00 00 00 58|"; fast_pattern:only;
>>> 
>>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>>> classtype:shellcode-detect; sid:2012086; rev:1;)
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE
>>> Possible Call with No Offset TCP Shellcode"; flow:established;
>>> content:"|E8 00 00 00 00 8F|"; fast_pattern:only;
>>> 
>>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>>> classtype:shellcode-detect; sid:2012088; rev:1;)
>>>
>>> --
>>> Paul Halliday
>>> http://www.pintumbler.org/

As does the content....seems this is a same msg, different content 
thing.

James


More information about the Emerging-sigs mailing list