Help with a custom SNORT rule.

["Ngo, John, OIG DoD" <John.Ngo () DODIG MIL>]

Hello,

 

I'm attempting to create a rule that detects inbound email with pdf attachments named in numbers only (Ex: 12345.pdf) 
and the name can be in any digits. Below is what I came up with, however, the rule was not triggered. I'm new to SNORT 
and still learning it. If anyone could please take a look and let me know if i need to make changes to this rule.

 

Thanks so much in advance.

John

 

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email PDF file attachment"; flow:to_server,established; 
content:"Content-Disposition|3A|"; nocase; pcre:"/(^\d+[1-9]+\.pdf$)/"; distance:0; 
classtype:suspicious-filename-detect; sid:100000106; rev:1;)

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!