doc.emergingthreats.net
Open in
urlscan Pro
72.12.209.155
Public Scan
URL:
https://doc.emergingthreats.net/bin/view/Main/2018959
Submission: On January 12 via api from IN — Scanned from DE
Submission: On January 12 via api from IN — Scanned from DE
Form analysis
3 forms found in the DOMName: threadmode0 — POST https://doc.emergingthreats.net/bin/save/Main/2018959
<form method="post" action="https://doc.emergingthreats.net/bin/save/Main/2018959" enctype="multipart/form-data" id="threadmode0" name="threadmode0"><input type="hidden" name="crypttoken" value="16313a18c7ee2308aaf51663614e8ed2">
<div class="commentPlugin commentPluginPromptBox" style="margin: 5px 0;">
<div><textarea rows="5" cols="80" name="comment" class="twikiTextarea" wrap="soft" style="width: 100%"
onfocus="if(this.value=='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.')this.value=''"
onblur="if(this.value=='')this.value='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.'">Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.</textarea>
</div>
<div style="padding: 5px 0 0 0;"><input type="submit" value="Add to Documentation" class="twikiButton"></div>
</div><!--/commentPlugin-->
<input type="hidden" name="comment_action" value="save">
<input type="hidden" name="comment_type" value="threadmode">
<input type="hidden" name="comment_index" value="0">
</form>
Name: jumpForm — /bin/view/Main/2018959
<form name="jumpForm" action="/bin/view/Main/2018959"><input id="jumpFormField" type="text" class="twikiInputField twikiInputFieldBeforeFocus" name="topic" value="" size="18"><noscript> <input type="submit" class="twikiButton" size="5" name="submit"
value="Jump"> </noscript> </form>
Name: quickSearchForm — /bin/view/Main/WebSearch
<form name="quickSearchForm" action="/bin/view/Main/WebSearch"><input type="text" class="twikiInputField twikiInputFieldBeforeFocus" id="quickSearchBox" name="search" value="" size="18"><input type="hidden" name="scope" value="all"><input
type="hidden" name="web" value="Main"><noscript> <input type="submit" size="5" class="twikiButton" name="submit" value="Search"> </noscript> </form>
Text Content
EmergingThreats> Main Web>2018959 (2018-11-16, JamesCampbell) EditAttach ALERT HTTP $EXTERNAL_NET ANY -> $HOME_NET ANY (MSG:"ET POLICY PE EXE OR DLL WINDOWS FILE DOWNLOAD HTTP"; FLOW:ESTABLISHED,TO_CLIENT; FLOWBITS:ISNOTSET,ET.HTTP.BINARY; FLOWBITS:ISNOTSET,ET.INFO.WINDOWSUPDATE; FILE_DATA; CONTENT:"MZ"; WITHIN:2; BYTE_JUMP:4,58,RELATIVE,LITTLE; CONTENT:"PE|00 00|"; DISTANCE:-64; WITHIN:4; FLOWBITS:SET,ET.HTTP.BINARY; REFERENCE:URL,DOC.EMERGINGTHREATS.NET/BIN/VIEW/MAIN/2018959; CLASSTYPE:POLICY-VIOLATION; SID:2018959; REV:4; METADATA:CREATED_AT 2014_08_19, FORMER_CATEGORY POLICY, UPDATED_AT 2017_02_01;) Added 2020-08-05 19:10:05 UTC Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps. -------------------------------------------------------------------------------- ALERT HTTP $EXTERNAL_NET ANY -> $HOME_NET ANY (MSG:"ET POLICY PE EXE OR DLL WINDOWS FILE DOWNLOAD HTTP"; FLOW:ESTABLISHED,TO_CLIENT; FLOWBITS:ISNOTSET,ET.HTTP.BINARY; FLOWBITS:ISNOTSET,ET.INFO.WINDOWSUPDATE; FILE_DATA; CONTENT:"MZ"; WITHIN:2; BYTE_JUMP:4,58,RELATIVE,LITTLE; CONTENT:"PE|00 00|"; DISTANCE:-64; WITHIN:4; FLOWBITS:SET,ET.HTTP.BINARY; METADATA: FORMER_CATEGORY POLICY; REFERENCE:URL,DOC.EMERGINGTHREATS.NET/BIN/VIEW/MAIN/2018959; CLASSTYPE:POLICY-VIOLATION; SID:2018959; REV:4; METADATA:CREATED_AT 2014_08_19, UPDATED_AT 2017_02_01;) Added 2019-04-24 19:04:36 UTC -------------------------------------------------------------------------------- ALERT HTTP $EXTERNAL_NET ANY -> $HOME_NET ANY (MSG:"ET POLICY PE EXE OR DLL WINDOWS FILE DOWNLOAD HTTP"; FLOW:ESTABLISHED,TO_CLIENT; FLOWBITS:ISNOTSET,ET.HTTP.BINARY; FLOWBITS:ISNOTSET,ET.INFO.WINDOWSUPDATE; FILE_DATA; CONTENT:"MZ"; WITHIN:2; BYTE_JUMP:4,58,RELATIVE,LITTLE; CONTENT:"PE|00 00|"; DISTANCE:-64; WITHIN:4; FLOWBITS:SET,ET.HTTP.BINARY; REFERENCE:URL,DOC.EMERGINGTHREATS.NET/BIN/VIEW/MAIN/2000419; CLASSTYPE:POLICY-VIOLATION; SID:2018959; REV:3; METADATA:CREATED_AT 2014_08_19, UPDATED_AT 2017_02_01;) Added 2018-09-13 19:49:09 UTC I am using the emerging threat rules in my Snort IPS. I am disabling some of the rules by using Barnyard2 and the disablesid.conf mechanism. Two of the rules that I am disabling are sid:2000419 and id:2018959. I have the entries in disablesid.conf in numeric order so sid:2000419 is processed prior to sid:2018959. When Barnyard2 processes the disablesid.conf file, it disables sid:2000419 but doesn't disable sid:2018959. I believe that this happens because when Barnyard2 is parsing the entry for sid:2018959 it finds 2000419 in the rule in "reference:url,doc.emergingthreats.net/bin/view/Main/2000419;" and, since it has already disabled sid:2000419 it skips disabling sid:2018959. I believe that my problem would be solved by changing the "reference:.." from 2000419 to 2018959. Thank you. -- JamesCampbell - 2018-11-16 Additional information: I commented out the entry for sid:2000419 in the disablesid.conf. Re-running Barnyard2 resulted in sid:2000419 being disabled but not sid:2018959. Barnyard2 reported that it had processed all the disablesid.conf records and skipped none. I believe that this proves that having two sid numbers in the same record is what is causing my problem. Please remove or change the 2000419 in the sid:2018959 rule record. -- JamesCampbell - 2018-11-16 -------------------------------------------------------------------------------- Added 2018-09-13 17:58:54 UTC -------------------------------------------------------------------------------- ALERT HTTP $EXTERNAL_NET ANY -> $HOME_NET ANY (MSG:"ET POLICY PE EXE OR DLL WINDOWS FILE DOWNLOAD HTTP"; FLOW:ESTABLISHED,TO_CLIENT; FLOWBITS:ISNOTSET,ET.HTTP.BINARY; FLOWBITS:ISNOTSET,ET.INFO.WINDOWSUPDATE; FILE_DATA; CONTENT:"MZ"; WITHIN:2; BYTE_JUMP:4,58,RELATIVE,LITTLE; CONTENT:"PE|00 00|"; DISTANCE:-64; WITHIN:4; FLOWBITS:SET,ET.HTTP.BINARY; REFERENCE:URL,DOC.EMERGINGTHREATS.NET/BIN/VIEW/MAIN/2000419; CLASSTYPE:POLICY-VIOLATION; SID:2018959; REV:3; METADATA:CREATED_AT 2014_08_19, UPDATED_AT 2017_02_01;) Added 2017-08-07 21:13:07 UTC -------------------------------------------------------------------------------- ALERT HTTP $EXTERNAL_NET ANY -> $HOME_NET ANY (MSG:"ET POLICY PE EXE OR DLL WINDOWS FILE DOWNLOAD HTTP"; FLOW:ESTABLISHED,TO_CLIENT; FLOWBITS:ISNOTSET,ET.HTTP.BINARY; FLOWBITS:ISNOTSET,ET.INFO.WINDOWSUPDATE; FILE_DATA; CONTENT:"MZ"; WITHIN:2; BYTE_JUMP:4,58,RELATIVE,LITTLE; CONTENT:"PE|00 00|"; DISTANCE:-64; WITHIN:4; FLOWBITS:SET,ET.HTTP.BINARY; REFERENCE:URL,DOC.EMERGINGTHREATS.NET/BIN/VIEW/MAIN/2000419; CLASSTYPE:POLICY-VIOLATION; SID:2018959; REV:3;) Added 2017-02-01 18:33:05 UTC -------------------------------------------------------------------------------- ALERT HTTP $EXTERNAL_NET ANY -> $HOME_NET ANY (MSG:"ET POLICY PE EXE OR DLL WINDOWS FILE DOWNLOAD HTTP"; FLOW:ESTABLISHED,TO_CLIENT; FLOWBITS:ISNOTSET,ET.HTTP.BINARY; FILE_DATA; CONTENT:"MZ"; WITHIN:2; BYTE_JUMP:4,58,RELATIVE,LITTLE; CONTENT:"PE|00 00|"; DISTANCE:-64; WITHIN:4; FLOWBITS:SET,ET.HTTP.BINARY; REFERENCE:URL,DOC.EMERGINGTHREATS.NET/BIN/VIEW/MAIN/2000419; CLASSTYPE:POLICY-VIOLATION; SID:2018959; REV:2;) Added 2014-08-19 16:22:04 UTC I think this rule should be updated to include pcre: '/^((?!\.windowsupdate\.com).)*$/im' as all Windows machines generate loads of auto-update alerts due to this rule... Thoughts? -- ScottNursten - 2017-02-01 Thanks, we'll get this fixed up today! -- DarienH - 2017-02-01 -------------------------------------------------------------------------------- Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions Topic revision: r4 - 2018-11-16 - JamesCampbell * Main * Log In * Main Web * Create New Topic * Index * Search * Changes * Preferences * User Reference * ATasteOfTWiki * TextFormattingRules * Signature Reference * WebRss Feed * EmergingFAQ * * * Copyright © Emerging Threats