[Snort-sigs] new rule for detect SMTP MIME-Type ms-tnef access

rmkml rmkml at ...324...
Wed Jan 11 04:13:02 EST 2006


Hi,

please check and maybe add this new rule :

smtp.rules:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; 
nocase; content:"application/"; nocase; pcre:"/Content-Type\x3A\s+application\/ms-tnef/i"; reference:bugtraq,16197; reference:cve,2006-0002; 
reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; 
classtype:attempted-admin; )

this rule IS NOT TESTED.
another ref is http://www.kb.cert.org/vuls/id/252146.

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list