Snort mailing list archives
Low hanging fruit #3
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 22 Oct 2012 09:53:22 -0600
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"POLICY 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"1.usa.gov"; pcre:"/\x2f[a-f0-9]{6,8}/msi"; reference:url,http://www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:10000034; rev:1;) Doubt this will be useful for long. Sanity tested and running in a live environment, but no pcaps. James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Low hanging fruit #3 James Lay (Oct 22)