[Emerging-Sigs] duplicate rules -- sort of...
r.fulton at auckland.ac.nz
Mon Sep 22 23:04:14 EDT 2014
I am using the etpro 2.0.3 rules and I find that there are:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce?Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6;)
alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH2? Based SSH Connection - Often used as aBruteForce? Tool"; flow:established,to_server; ssh.softwareversion:"libssh2-"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:2;)
Both of which are triggering. I take it the latter is taking advantage of the app-layer decoding. Is it an oversight that the former rule is still enabled.
More information about the Emerging-sigs