[Oisf-users] ET Open signature 2015857 and cisco config exfil
Travis Green
travis at travisgreen.net
Wed Jul 19 13:14:54 UTC 2017
Thanks Eric, we'll get that modified.
-Travis
On Wed, Jul 19, 2017 at 5:20 AM, erik clark <philosnef at gmail.com> wrote:
> Turns out this signature will not fire if the version block is
>
> 0a 21 20 4c
>
> This looks for |0a 21 0a|version|20|
>
> Id like to recommend altering this to either look for "NVRAM config last
> update", or at least 0a 21 20|version|
>
> We are running a few variants of this signature, and confirmed they fire
> as expected.
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
--
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170719/572e34f3/attachment-0002.html>
More information about the Oisf-users
mailing list