[Emerging-Sigs] Duplicate + Inaccurate MSG - SID 2019310

Brandon Murphy bmurphy at emergingthreats.net
Mon Dec 2 10:57:26 HST 2019


Thanks for pointing this out Nathan! I'll get the msg for 2019310
changed for today's release.

-Brandon

On 11/29/19 11:14, Nathan via Emerging-sigs wrote:
> It appears the nomenclature below in the "msg" field is duplicated in SID
> 2019309.  This signature indicates "WGET" however this is actually a Perl
> command and is not associated with "WGET".
>
> alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command
> Specifying Output in HTTP Headers"; flow:established,to_server;
> content:"lwp-download "; fast_pattern; http_header;
> pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/Hm";
> reference:url,blogs.akamai.com/2014/09/environment-bashing.html;
> classtype:attempted-admin; sid:2019310; rev:3; metadata:created_at 2014_09_29,
> updated_at 2019_10_07;)
>
> Cheers,
> Nathan
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>



More information about the Emerging-sigs mailing list