Snort mailing list archives
Help with a custom SNORT rule.
From: "Ngo, John, OIG DoD" <John.Ngo () DODIG MIL>
Date: Tue, 6 Nov 2012 13:11:00 +0000
Hello, I'm attempting to create a rule that detects inbound email with pdf attachments named in numbers only (Ex: 12345.pdf) and the name can be in any digits. Below is what I came up with, however, the rule was not triggered. I'm new to SNORT and still learning it. If anyone could please take a look and let me know if i need to make changes to this rule. Thanks so much in advance. John alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email PDF file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/(^\d+[1-9]+\.pdf$)/"; distance:0; classtype:suspicious-filename-detect; sid:100000106; rev:1;)
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with a custom SNORT rule. Ngo, John, OIG DoD (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)