2013914: Not really relevant anymore?

Hi team ET,

found this gem while looking at signatures that is loaded but never fires:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; http.user_agent; content:"Ubuntu APT-HTTP|2F|"; startswith; http.host; content:"repository.backtrack-linux.org"; within:40; reference:url,www.backtrack-linux.org; classtype:targeted-activity; sid:2013914; rev:5; metadata:created_at 2011_11_16, updated_at 2020_04_20;)

My guess is that it might be a waste of CPU-cycles since backtrack is kinda gone:

$ host repository.backtrack-linux[.]org
Host repository.backtrack-linux[.]org not found: 3(NXDOMAIN)
3 Likes

Nice find, that sig is a golden oldie. We will have that sig disabled in todays release.

JT

3 Likes