[Emerging-Sigs] duplicate rules -- sort of...

Russell Fulton r.fulton at auckland.ac.nz
Mon Sep 22 23:04:14 EDT 2014


I am using the etpro 2.0.3 rules and I find that there are:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce?Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6;)

alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH2? Based SSH Connection - Often used as aBruteForce? Tool"; flow:established,to_server; ssh.softwareversion:"libssh2-"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:2;)

Both of which are triggering.  I take it the latter is taking advantage of the app-layer decoding.  Is it an oversight that the former rule is still enabled.

Russell


More information about the Emerging-sigs mailing list