Snort mailing list archives
Re: Help with a custom SNORT rule.
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 6 Nov 2012 09:48:08 -0600
On 11/06/2012 07:11 AM, Ngo, John, OIG DoD wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email PDF file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/(^\d+[1-9]+\.pdf$)/"; distance:0; classtype:suspicious-filename-detect; sid:100000106; rev:1;)
Using RFC 2183... not sure if outdated. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email with PDF attachment"; flow:established,to_server; content:"Content-Disposition|3a|"; nocase; pcre:"filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri"; classtype:suspicious-filename-detect; sid:x; rev:1;) I've been back and forth on how to effectively make this performance friendly and it's going to be PCRE-heavy regardless; I like the idea of keeping the PCRE relative to the previous content match from a performance aspect. Cheers, Nathan ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with a custom SNORT rule. Ngo, John, OIG DoD (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)
- Re: Help with a custom SNORT rule. lists () packetmail net (Nov 06)