Re: Help with a custom SNORT rule.

["lists () packetmail net" <lists () packetmail net>]

On 11/06/2012 09:48 AM, lists () packetmail net wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email with PDF
> attachment"; flow:established,to_server; content:"Content-Disposition|3a|";
> nocase; pcre:"filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri";
> classtype:suspicious-filename-detect; sid:x; rev:1;)

Missing a leading forward slash (sorry for the list spam), rule is untested,
hopefully it helps.

pcre:"/filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri";

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!