[Emerging-Sigs] Possible duplication in SIDs 2029297 & 2029300

Eric Urban eurban at umn.edu
Thu Jan 30 11:31:26 HST 2020


I notice in the Suricata 5.0 rules that 2029297 and 2029300 appear to match
with the same content and differ only by metadata characteristics:

alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart CnC Domain
Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase;
endswith; metadata: former_category MALWARE; classtype:domain-c2;
sid:2029297; rev:2; metadata:affected_product Web_Browsers, attack_target
Client_Endpoint, deployment Perimeter, signature_severity Major, created_at
2020_01_20, malware_family MageCart, updated_at 2020_01_20;)

alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain
Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase;
endswith; classtype:domain-c2; sid:2029300; rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
attack_target Client_Endpoint, deployment Perimeter, signature_severity
Major, created_at 2020_01_22, updated_at 2020_01_22;)

In the 4.x rules, these rules exist but one is in MALWARE and the other in
TROJAN.

Is there something I am missing as to why these both exist?

Thank you,
Eric

-- 
Eric Urban
Security Analyst | University Information Security (UIS)
University of Minnesota | umn.edu
Information Security is a shared responsibility. Learn more at:
https://z.umn.edu/uis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200130/9cfbfb51/attachment.html>


More information about the Emerging-sigs mailing list