Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Low hanging fruit #3

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 22 Oct 2012 09:53:22 -0600
Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"POLICY 1.usa.gov URL 
in email, possible spam redirect"; flow:to_server, established; 
file_data; content:"1.usa.gov"; pcre:"/\x2f[a-f0-9]{6,8}/msi"; 
reference:url,http://www.symantec.com/connect/blogs/spam-gov-urls; 
classtype:bad-unknown; sid:10000034; rev:1;)

Doubt this will be useful for long.  Sanity tested and running in a 
live environment, but no pcaps.

James

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: