[Emerging-Sigs] SID:2018455 - Docs site does not match rule from downloaded rule set

Jack Mott jmott at emergingthreats.net
Tue Apr 14 06:33:47 HDT 2020


Hi Eric,

The docs are using a wiki platform so it can be commented/edited by
registered users. It can be confusing as it was in this case, but when in
doubt, consult the actual rule content from the rules files pulled from our
servers. If there is still a question or concern feel free to shoot us a
message about it here or using the
https://feedback.emergingthreats.net/feedback portal and it will go
straight to our team for review.

Thanks for reaching out!

Jack

On Tue, Apr 14, 2020 at 8:25 AM Eric Urban <eurban at umn.edu> wrote:

> Thank you for your response.  So you mean to say the signature at the top
> of the page that is "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET
> TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26";
> byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|";
> nocase; content:!"|05|mpsmx|03|net|00|"; nocase;
> content:!"|09|mailspike|03|com|00|"; nocase;
> content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track
> by_src, seconds 60, count 1; metadata: former_category TROJAN;
> classtype:trojan-activity; sid:2018455; rev:5; metadata:created_at
> 2014_05_08, updated_at 2018_04_20;)" is actually just a user submitted
> comment and does not reflect the state of the rule?
>
> I did not realize the docs worked this way.  My understanding was that the
> signatures there reflected actual changes that had been made to the rules
> to be distributed but based on your email it seems I am mistaken and
> anyone, or at least registered users, can post modifications for submission
> that will show up on the page?
>
>
> --
> Eric Urban
> Security Analyst | University Information Security (UIS)
> University of Minnesota | umn.edu
> Information Security is a shared responsibility. Learn more at:
> https://z.umn.edu/uis
>
>
> On Tue, Apr 14, 2020 at 9:20 AM Jack Mott <jmott at emergingthreats.net>
> wrote:
>
>> Hi Eric,
>>
>> The comment to delete those contents is from another user like yourself
>> and not the Emerging Threats team. We have not made a recent modification
>> to this rule.
>>
>> Please do not hesitate to reach out with any questions or concerns!
>>
>> Best,
>>
>> Jack
>>
>> On Mon, Apr 13, 2020 at 1:26 PM Eric Urban <eurban at umn.edu> wrote:
>>
>>> Hello,
>>>
>>> I found when looking at
>>> https://doc.emergingthreats.net/bin/view/Main/2018455 that the latest
>>> revision appears to have removed the content sections that basically define
>>> what the rule should be looking for based on its msg.  There is the comment
>>> "del content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4;
>>> within:5; because too many false positives".
>>>
>>> However, when you pull down the rule sets you can see the rule 2018455
>>> does in fact contain the content sections for "c3 16 1a" which seems
>>> correct since the rule checks for 195.22.26.192/26.
>>>
>>> Thank you,
>>> --
>>> Eric Urban
>>> Security Analyst | University Information Security (UIS)
>>> University of Minnesota | umn.edu
>>> Information Security is a shared responsibility. Learn more at:
>>> https://z.umn.edu/uis
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200414/0fa04859/attachment.html>


More information about the Emerging-sigs mailing list