[Snort-sigs] Suspicious File Extensions

Matthew Jonkman matt at ...2436...
Tue Jul 20 06:43:18 EDT 2004


Good list. The ones that were not in the rule have been added. They are:

zip, url, url, sct, rar, plx, pls, plc, pcd, mst, msg, msc, mhtm, mht, 
mdz, isp, ins, inf, fol, ebs, crt, bas

I did not include the {* right now. If you can give me an example of 
what that looks like I think that's worth a new rule. This pcre is 
getting huge, and I'm weary of the implications of bringing in *'s and 
{'s there. So if you send out an example I'll make up a new rule for it.

This one is up on bleedingsnort.com. PLEASE let me know if it's hitting 
or not hitting what it should.

Thanks Herb for the list.

Matt

Herb Martin wrote:

> The list of "dangerous files" probably includes
> all of these extensions:
> 
scr
{*  <<<(represents GUID values which start and end with {}
zip
wsh
wsf
wsc
vbs
vbe
vb
url
shs
sct
reg
rar
plx
pls
plc
pif
pcd
mst
msp
msi
msg
msc
mhtm
mht
mdz
mde
mdb
mda
lnk
jse
js
isp
ins
inf
hta
hlp
fol
exe
ebs
crt
cpl
cmd
chm
bat
bas
adp
ade




More information about the Snort-sigs mailing list