I want to find some descriptions about suricata rules.
For example, Rule name: ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request
Rule info: content:"|00 01 74 63 6C 73 68 2E 74 63 6C|";
SID: 2009244, ... other else.
I would like to know the detailed function of the rule.
I found some site but there's no descriptions(like https://doc.emergingthreats.net/2009244).
Is there any commendable sites for searching rule's descriptions?
thanks.
we typically do include descriptions for our signatures however, for a lot of the older signatures, they're missing descriptions. I noticed there was a reference included but the web server hosting was no longer available. I was able to find the same PDF here: https://dl.packetstormsecurity.net/papers/bypass/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf
As for the rule and the content snippet you highlighted, it's looking for the string 'tclsh.tcl' preceded by 0x0001. It's also worth noting that this rule is currently disabled in the latest production ruleset.
