[Emerging-Sigs] Possible duplication in SIDs 2029297 & 2029300

Jason Williams jwilliams at emergingthreats.net
Thu Jan 30 13:57:26 HST 2020


Eric,

Yep this looks like duplicate coverage, it will be fixed up in the rule
push shortly.

Thanks!

On Thu, Jan 30, 2020 at 2:31 PM Eric Urban <eurban at umn.edu> wrote:

> I notice in the Suricata 5.0 rules that 2029297 and 2029300 appear to
> match with the same content and differ only by metadata characteristics:
>
> alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart CnC Domain
> Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase;
> endswith; metadata: former_category MALWARE; classtype:domain-c2;
> sid:2029297; rev:2; metadata:affected_product Web_Browsers, attack_target
> Client_Endpoint, deployment Perimeter, signature_severity Major, created_at
> 2020_01_20, malware_family MageCart, updated_at 2020_01_20;)
>
> alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain
> Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase;
> endswith; classtype:domain-c2; sid:2029300; rev:1;
> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint, deployment Perimeter, signature_severity
> Major, created_at 2020_01_22, updated_at 2020_01_22;)
>
> In the 4.x rules, these rules exist but one is in MALWARE and the other in
> TROJAN.
>
> Is there something I am missing as to why these both exist?
>
> Thank you,
> Eric
>
> --
> Eric Urban
> Security Analyst | University Information Security (UIS)
> University of Minnesota | umn.edu
> Information Security is a shared responsibility. Learn more at:
> https://z.umn.edu/uis
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200130/ae4cfd6b/attachment.html>


More information about the Emerging-sigs mailing list