[Emerging-Sigs] duplicate rules -- sort of...

Francis Trudeau ftrudeau at emergingthreats.net
Tue Sep 23 12:52:14 EDT 2014


Thanks for pointing that out.

I am pretty sure we can make those into one sig.  Or at least make
them not flag on the same traffic.

I am wondering why your ruleset has the Snort version rule for 2006435
and the Suricata version for 2018689.

For Suricata I have:

alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH
Based SSH Connection - Often used as a BruteForce Tool";
flow:established,to_server; ssh.softwareversion:"libssh-"; threshold:
type limit, track by_src, count 1, seconds 30;
reference:url,doc.emergingthreats.net/2006435;
classtype:misc-activity; sid:2006435; rev:10;)

alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH2
Based SSH Connection - Often used as a BruteForce Tool";
flow:established,to_server; ssh.softwareversion:"libssh2_"; threshold:
type limit, track by_src, count 1, seconds 30;
classtype:misc-activity; sid:2018689; rev:3;)

Which shouldn't flag on the same traffic.

ft




On Mon, Sep 22, 2014 at 9:04 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> I am using the etpro 2.0.3 rules and I find that there are:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce?Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6;)
>
> alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH2? Based SSH Connection - Often used as aBruteForce? Tool"; flow:established,to_server; ssh.softwareversion:"libssh2-"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:2;)
>
> Both of which are triggering.  I take it the latter is taking advantage of the app-layer decoding.  Is it an oversight that the former rule is still enabled.
>
> Russell
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list