Re: Help with a custom SNORT rule.

["lists () packetmail net" <lists () packetmail net>]

On 11/06/2012 07:11 AM, Ngo, John, OIG DoD wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email PDF file
> attachment"; flow:to_server,established; content:"Content-Disposition|3A|";
> nocase; pcre:"/(^\d+[1-9]+\.pdf$)/"; distance:0;
> classtype:suspicious-filename-detect; sid:100000106; rev:1;)

Using RFC 2183... not sure if outdated.

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email with PDF
attachment"; flow:established,to_server; content:"Content-Disposition|3a|";
nocase; pcre:"filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri";
classtype:suspicious-filename-detect; sid:x; rev:1;)

I've been back and forth on how to effectively make this performance friendly
and it's going to be PCRE-heavy regardless; I like the idea of keeping the PCRE
relative to the previous content match from a performance aspect.

Cheers,
Nathan


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!