[Oisf-users] ET Open signature 2015857 and cisco config exfil

erik clark philosnef at gmail.com
Wed Jul 19 11:20:23 UTC 2017

Turns out this signature will not fire if the version block is

0a 21 20 4c

This looks for |0a 21 0a|version|20|

Id like to recommend altering this to either look for "NVRAM config last
update", or at least 0a 21 20|version|

We are running a few variants of this signature, and confirmed they fire as
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170719/763849f0/attachment-0001.html>

More information about the Oisf-users mailing list