[Emerging-Sigs] SID:2018455 - Docs site does not match rule from downloaded rule set

Eric Urban eurban at umn.edu
Mon Apr 13 10:26:13 HDT 2020


Hello,

I found when looking at
https://doc.emergingthreats.net/bin/view/Main/2018455 that the latest
revision appears to have removed the content sections that basically define
what the rule should be looking for based on its msg.  There is the comment
"del content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4;
within:5; because too many false positives".

However, when you pull down the rule sets you can see the rule 2018455 does
in fact contain the content sections for "c3 16 1a" which seems correct
since the rule checks for 195.22.26.192/26.

Thank you,
-- 
Eric Urban
Security Analyst | University Information Security (UIS)
University of Minnesota | umn.edu
Information Security is a shared responsibility. Learn more at:
https://z.umn.edu/uis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200413/03ea7ce0/attachment.html>


More information about the Emerging-sigs mailing list