On 0, Jeffrey Lowe <jeffrey.lowe@mci.com> allegedly wrote:
Looking to make a sig to catch inbound webmail attachments from specific
hosts, such as .EXE, .SCR, .BAT, .ZIP etc. coming from mail.yahoo.com.
look at the rule in virus.rules, this catches all those attachment types
all you would need to do is copy it and change the ports and direction of
flow to suit your needs.
I tried:
alert tcp any 216.109.127.60 -> $HOME_NET any (msg:"Inbound Yahoo Mail file
attachment"; pcre:"/(.EXE|.SCR|.BAT|.DLL|.ZIP)/i"; classtype:Test;
sid:20000_ _; rev:1;)
You have an address where a port should be. Also, you might find that
mail.yahoo.com is not the sending host and I would be surprised if there
was only one.
Also, not sure why you have "_ _" in the sid and the classtype "Test" is
not in the standard classification.config, I will assume you have added it.
and I get some weird results, none of which are file attachments.
Yep, not surprised about the weird results, see above.
Thanks,
Jeff
+-------------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
"Dude, dolphins are intelligent and friendly!" - Wendy
"Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
