[Snort-sigs] Questions about sid: 721
sab139 at ...715...
Tue May 25 12:33:03 EDT 2004
I've been looking at the "VIRUS OUTBOUND bad file attachment" signature (sid:721) and trying to figure out how to split it in to two pieces. My hope is to have a "suspicious" group (dot, hlp, ini, ...) and a "nasty" group (com, exe, scr, bat, ...) but I have two questions about it.
1 - What is the meaning of the "(?=[abcdehijlmnoprsvwx])" section of the PCRE? Is it supposed to be a list of all the used characters or just of the first characters in the matched extensions?
2 - The web site says that filename="encrypted.asc" triggers a false positive. How is that matching?
Steven Bairstow http://www.personal.psu.edu/~sab139
Computer and Network Services - Sutherland Building
Penn State University - Abington College
"The machine is a marvelous simplifier... and may be the modern
emancipator of the creative mind." -- Frank Lloyd Wright
More information about the Snort-sigs