[Snort-sigs] Avoidance of 664.13 (SMTP RCPT TO decode attempt)

Brian bmc at ...95...
Tue Jul 6 08:06:13 EDT 2004


On Sat, Jul 03, 2004 at 12:20:00AM -0600, nnposter at ...592... wrote:
> I am proposing to add "nocase" to the first content clause:
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 
> (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; 
> content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; 
> pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; 
> reference:bugtraq,2308; reference:cve,1999-0203; 
> classtype:attempted-admin; sid:664; rev:14;)

yep, except also do a \s* instead of \s+




More information about the Snort-sigs mailing list