Snort mailing list archives
UTF-8 BOM
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 08 Apr 2013 13:50:28 -0600
It's a Monday, so let's start with something exciting: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS UTF-8 BOM in ZIP"; flow:to_server,established; file_data; content:"zip"; content:"|EF BB BF 50 B4|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; classtype:trojan-activity; sid:10000045; rev:1;) Or not ;)..thoughts/cleanups/anything_that_would_make_this_useful are welcome. James ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)
- Re: UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)
- Re: UTF-8 BOM rmkml (Apr 09)
- Re: UTF-8 BOM Joel Esler (Apr 09)
- Re: UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)