[Emerging-Sigs] Very old rule is rather broken

Jason Williams jwilliams at emergingthreats.net
Mon Oct 21 06:07:11 HDT 2019


Thanks very much! Will get these fixed up today.

Jason

On Sat, Oct 19, 2019 at 9:51 PM Duane Howard <duane.security at gmail.com>
wrote:

> While working on a rule parser, I noticed that this old policy rule is
> quote broken. Note the lack of opening " on the pcre.
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java Url Lib
> User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase;
> http_user_agent; *pcre:/Java/\d\.\d/Vi";* threshold: type both, track
> by_src, count 10, seconds 60; reference:url,
> www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,
> doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945;
> rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30
>
> These two are in deleted.rules but they're using a deprecated keyword
> *ssh.softwareversion* in the 4.0 ruleset:
> #alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH
> Based SSH Connection - Often used as a BruteForce Tool";
> flow:established,to_server; *ssh.softwareversion*:"libssh-"; threshold:
> type limit, track by_src, count 1, seconds 30;  reference:url,
> doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435;
> rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
> :#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2
> Based SSH Connection - Often used as a BruteForce Tool";
> flow:established,to_server; *ssh.softwareversion*:"libssh2_"; threshold:
> type limit, track by_src, count 1, seconds 30;  classtype:misc-activity;
> sid:2018689; rev:3; metadata:created_at 2014_07_17, updated_at 2014_07_17;)
>
> Cheers,
> Duane
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191021/9458122b/attachment.html>


More information about the Emerging-sigs mailing list