[Emerging-Sigs] SID:2018455 - Docs site does not match rule from downloaded rule set

Eric Urban eurban at umn.edu
Tue Apr 14 05:25:08 HDT 2020


Thank you for your response.  So you mean to say the signature at the top
of the page that is "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET
TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26";
byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|";
nocase; content:!"|05|mpsmx|03|net|00|"; nocase;
content:!"|09|mailspike|03|com|00|"; nocase;
content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track
by_src, seconds 60, count 1; metadata: former_category TROJAN;
classtype:trojan-activity; sid:2018455; rev:5; metadata:created_at
2014_05_08, updated_at 2018_04_20;)" is actually just a user submitted
comment and does not reflect the state of the rule?

I did not realize the docs worked this way.  My understanding was that the
signatures there reflected actual changes that had been made to the rules
to be distributed but based on your email it seems I am mistaken and
anyone, or at least registered users, can post modifications for submission
that will show up on the page?


-- 
Eric Urban
Security Analyst | University Information Security (UIS)
University of Minnesota | umn.edu
Information Security is a shared responsibility. Learn more at:
https://z.umn.edu/uis


On Tue, Apr 14, 2020 at 9:20 AM Jack Mott <jmott at emergingthreats.net> wrote:

> Hi Eric,
>
> The comment to delete those contents is from another user like yourself
> and not the Emerging Threats team. We have not made a recent modification
> to this rule.
>
> Please do not hesitate to reach out with any questions or concerns!
>
> Best,
>
> Jack
>
> On Mon, Apr 13, 2020 at 1:26 PM Eric Urban <eurban at umn.edu> wrote:
>
>> Hello,
>>
>> I found when looking at
>> https://doc.emergingthreats.net/bin/view/Main/2018455 that the latest
>> revision appears to have removed the content sections that basically define
>> what the rule should be looking for based on its msg.  There is the comment
>> "del content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4;
>> within:5; because too many false positives".
>>
>> However, when you pull down the rule sets you can see the rule 2018455
>> does in fact contain the content sections for "c3 16 1a" which seems
>> correct since the rule checks for 195.22.26.192/26.
>>
>> Thank you,
>> --
>> Eric Urban
>> Security Analyst | University Information Security (UIS)
>> University of Minnesota | umn.edu
>> Information Security is a shared responsibility. Learn more at:
>> https://z.umn.edu/uis
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200414/1dfacae0/attachment-0001.html>


More information about the Emerging-sigs mailing list