Nothing more than extra detection in case one thing is changed. <br><br><div class="gmail_quote">On 26 October 2011 18:01, waldo kitty <span dir="ltr">&lt;<a href="mailto:wkitty42@windstream.net">wkitty42@windstream.net</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
emerging-scan.rules:alert udp $EXTERNAL_NET any -&gt; $HOME_NET 5060 (msg:&quot;ET SCAN<br>
Modified Sipvicious Sundayddr Scanner&quot;; content:&quot;From|3A 20 22|sipsscuser|22|&quot;;<br>
fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src;<br>
reference:url,<a href="http://code.google.com/p/sipvicious/" target="_blank">code.google.com/p/sipvicious/</a>; reference:url,<a href="http://blog.sipvicious.org/" target="_blank">blog.sipvicious.org/</a>;<br>
reference:url,<a href="http://honeynet.org.au/?q=sunday_scanner" target="_blank">honeynet.org.au/?q=sunday_scanner</a>; classtype:attempted-recon;<br>
sid:2012204; rev:3;)<br>
<br>
emerging-scan.rules:alert udp $EXTERNAL_NET any -&gt; $HOME_NET 5060 (msg:&quot;ET SCAN<br>
Modified Sipvicious User-Agent Detected (sundayddr)&quot;; content:&quot;|0d<br>
0a|User-Agent|3A| sundayddr&quot;; fast_pattern:only; threshold: type limit, count 1,<br>
seconds 60, track by_src; reference:url,<a href="http://honeynet.org.au/?q=sunday_scanner" target="_blank">honeynet.org.au/?q=sunday_scanner</a>;<br>
reference:url,<a href="http://code.google.com/p/sipvicious/" target="_blank">code.google.com/p/sipvicious/</a>; reference:url,<a href="http://blog.sipvicious.org/" target="_blank">blog.sipvicious.org/</a>;<br>
reference:url,<a href="http://doc.emergingthreats.net/2011766" target="_blank">doc.emergingthreats.net/2011766</a>; classtype:attempted-recon;<br>
sid:2011766; rev:5;)<br>
<br>
both of these seem to be firing on the same traffic but they appear to be<br>
looking for different things... the MSG is also pretty much the same...<br>
<br>
can we 1) get an explanation on the differences and why each is looking at what<br>
it is looking at?<br>
<br>
2) if they are to be detecting the same thing, can they be combined or would<br>
that make the resulting rule too specific??<br>
<br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@emergingthreats.net">Emerging-sigs@emergingthreats.net</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!<br>
</blockquote></div><br>