Snort mailing list archives
Re: Help with a custom SNORT rule.
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 6 Nov 2012 09:56:27 -0600
On 11/06/2012 09:48 AM, lists () packetmail net wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email with PDF attachment"; flow:established,to_server; content:"Content-Disposition|3a|"; nocase; pcre:"filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri"; classtype:suspicious-filename-detect; sid:x; rev:1;)
Missing a leading forward slash (sorry for the list spam), rule is untested, hopefully it helps. pcre:"/filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri"; ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with a custom SNORT rule. Ngo, John, OIG DoD (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)