[Emerging-Sigs] `former_category` metadatas

Duane Howard duane.security at gmail.com
Tue Jun 16 11:40:42 HDT 2020

Stylistic question:

Is it intended that `former_category` metadata tags are independent of the
other metadata tag in a given rule? Why not merge them into a single one?

For example:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data;
content:"|4a694270626e525562314e30636968685a4752794b|"; *metadata:
former_category CURRENT_EVENTS;* classtype:trojan-activity; sid:2024353;
rev:2; *metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
affected_product Web_Browser_Plugins, attack_target Client_Endpoint,
deployment Perimeter, tag Exploit_Kit_Sundown, signature_severity Major,
created_at 2017_06_07, malware_family Exploit_Kit, updated_at 2017_06_07;*)

It also seems that this particular meta has a space following the
`metadata` keyword where the later ones do not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200616/4f76f640/attachment.html>

More information about the Emerging-sigs mailing list