[Emerging-Sigs] SID:2018455 - Docs site does not match rule from downloaded rule set

Jack Mott jmott at emergingthreats.net
Tue Apr 14 05:20:47 HDT 2020


Hi Eric,

The comment to delete those contents is from another user like yourself and
not the Emerging Threats team. We have not made a recent modification to
this rule.

Please do not hesitate to reach out with any questions or concerns!

Best,

Jack

On Mon, Apr 13, 2020 at 1:26 PM Eric Urban <eurban at umn.edu> wrote:

> Hello,
>
> I found when looking at
> https://doc.emergingthreats.net/bin/view/Main/2018455 that the latest
> revision appears to have removed the content sections that basically define
> what the rule should be looking for based on its msg.  There is the comment
> "del content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4;
> within:5; because too many false positives".
>
> However, when you pull down the rule sets you can see the rule 2018455
> does in fact contain the content sections for "c3 16 1a" which seems
> correct since the rule checks for 195.22.26.192/26.
>
> Thank you,
> --
> Eric Urban
> Security Analyst | University Information Security (UIS)
> University of Minnesota | umn.edu
> Information Security is a shared responsibility. Learn more at:
> https://z.umn.edu/uis
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200414/682a3ab4/attachment.html>


More information about the Emerging-sigs mailing list