[Emerging-Sigs] Very old rule is rather broken

Duane Howard duane.security at gmail.com
Sat Oct 19 18:51:01 HDT 2019


While working on a rule parser, I noticed that this old policy rule is
quote broken. Note the lack of opening " on the pcre.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java Url Lib
User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase;
http_user_agent; *pcre:/Java/\d\.\d/Vi";* threshold: type both, track
by_src, count 10, seconds 60; reference:url,
www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,
doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945;
rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30

These two are in deleted.rules but they're using a deprecated keyword
*ssh.softwareversion* in the 4.0 ruleset:
#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH Based
SSH Connection - Often used as a BruteForce Tool";
flow:established,to_server; *ssh.softwareversion*:"libssh-"; threshold:
type limit, track by_src, count 1, seconds 30;  reference:url,
doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435;
rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
:#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2
Based SSH Connection - Often used as a BruteForce Tool";
flow:established,to_server; *ssh.softwareversion*:"libssh2_"; threshold:
type limit, track by_src, count 1, seconds 30;  classtype:misc-activity;
sid:2018689; rev:3; metadata:created_at 2014_07_17, updated_at 2014_07_17;)

Cheers,
Duane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191019/b06fb387/attachment.html>


More information about the Emerging-sigs mailing list