[Emerging-Sigs] Rule dupe, well msg anyway. Is that allowed?

Paul Halliday paul.halliday at gmail.com
Wed Dec 12 07:16:47 HAST 2012


On Wed, Dec 12, 2012 at 1:07 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2012-12-12 09:36, Giles Coochey wrote:
>>
>> On 12/12/2012 16:34, Will Metcalf wrote:
>>>
>>> Sure :) sid differs...
>>
>> Content clause differs too...
>>>

At what point do different conditions for a similar situation warrant
a different signature message? For example, why not just 1 RBN or CNC
rule?

What are the rules?


>>>
>>> On Wed, Dec 12, 2012 at 10:33 AM, Paul Halliday <paul.halliday at gmail.com>
>>> wrote:
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE
>>>> Possible Call with No Offset TCP Shellcode"; flow:established;
>>>> content:"|E8 00 00 00 00 58|"; fast_pattern:only;
>>>>
>>>>
>>>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>>>> classtype:shellcode-detect; sid:2012086; rev:1;)
>>>>
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE
>>>> Possible Call with No Offset TCP Shellcode"; flow:established;
>>>> content:"|E8 00 00 00 00 8F|"; fast_pattern:only;
>>>>
>>>>
>>>> reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/;
>>>> classtype:shellcode-detect; sid:2012088; rev:1;)
>>>>
>>>> --
>>>> Paul Halliday
>>>> http://www.pintumbler.org/
>
>
> As does the content....seems this is a same msg, different content thing.
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Curre


More information about the Emerging-sigs mailing list