[Snort-sigs] new rule for detect Mozilla filename overflow

rmkml rmkml at ...324...
Wed Jan 18 08:45:07 EST 2006


Hi,

please check and maybe add this new rule :

smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP 
Mozilla filename overflow attempt"; flow:to_server,established; 
content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; )

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list