[Emerging-Sigs] `former_category` metadatas

Jason Williams jwilliams at emergingthreats.net
Tue Jun 16 13:00:04 HDT 2020


Duane,

The "two metadata fields issue" has been a bug for a long time sourcing
from our internal rule management tool. I think it has been present since
we started supporting Suri 4. We'll take this up with the engineering team
and hopefully get it resolved.

Thanks for bringing some attention to it!

Jason

On Tue, Jun 16, 2020 at 2:41 PM Duane Howard <duane.security at gmail.com>
wrote:

> Stylistic question:
>
> Is it intended that `former_category` metadata tags are independent of the
> other metadata tag in a given rule? Why not merge them into a single one?
>
> For example:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data;
> content:"|4a694270626e525562314e30636968685a4752794b|"; *metadata:
> former_category CURRENT_EVENTS;* classtype:trojan-activity; sid:2024353;
> rev:2; *metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product
> Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter,
> tag Exploit_Kit_Sundown, signature_severity Major, created_at 2017_06_07,
> malware_family Exploit_Kit, updated_at 2017_06_07;*)
>
> It also seems that this particular meta has a space following the
> `metadata` keyword where the later ones do not.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200616/9944cdde/attachment.html>


More information about the Emerging-sigs mailing list