[Snort-sigs] SID 2161

Sam Evans sam at ...219...
Thu Jun 26 07:19:03 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"OUTBOUND .doc file
attachment"; flow:to_server,established;
content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
within:30; content:".doc|22|"; distance:0; within:30; nocase;
classtype:misc-activity; sid:2161; rev:2;)

--
Sid:
2161

--
Summary:
Rule previous was labeled VIRUS OUTBOUND .doc file attachment.  I have
found this to be inaccruate as this rule fires on any .doc file going
outbound; virus infected or not.  Felt this should be changed as to not
mislead customers that this rule is correctly detecting virus infected
documents/


 --
Impact:
Informational Only

--
Detailed Information:

--
Affected Systems:
Microsoft Platforms

--
Attack Scenarios:
N/A

--
Ease of Attack:
N/A

--
False Positives:
N/A

--
False Negatives:
N/A

--
Corrective Action:
N/A

--
Contributors:
Existing rule in the Snort.org ruleset.

-- 
Additional References:
N/A





More information about the Snort-sigs mailing list