[Snort-sigs] Questions about sid: 721

Steven Bairstow sab139 at ...715...
Tue May 25 12:33:03 EDT 2004

I've been looking at the "VIRUS OUTBOUND bad file attachment" signature (sid:721) and trying to figure out how to split it in to two pieces.  My hope is to have a "suspicious" group (dot, hlp, ini, ...) and a "nasty" group (com, exe, scr, bat, ...) but I have two questions about it.

1 - What is the meaning of the "(?=[abcdehijlmnoprsvwx])" section of the PCRE?  Is it supposed to be a list of all the used characters or just of the first characters in the matched extensions?

2 - The web site says that filename="encrypted.asc" triggers a false positive.  How is that matching?


Steven Bairstow                  http://www.personal.psu.edu/~sab139
Computer and Network Services - Sutherland Building
Penn State University - Abington College

"The machine is a marvelous simplifier... and may be the modern 
emancipator of the creative mind." -- Frank Lloyd Wright

More information about the Snort-sigs mailing list