[Snort-sigs] correction and new rule about keyloggers

Nigel Houghton nigel at ...2981...
Fri May 26 05:04:29 EDT 2006


On  0, Chich Thierry <thierry.chich at ...2579...> wrote:
> 
> 
> The first rule I have sent was a little buggy. A "|" was lacking. Thanks to  
> rmkml.
> 
> alert tcp $HOME_NET any -> any 25 (msg:"LOCAL TEST - elitekeylogger v1.0 
> report"; flow:established;content:"MAIL FROM|3a|<logs at ...3219...>";
> tag:session,60,seconds;classtype:policy-violation;sid:1200604131;rev:1;)

Is there a space between the ":" and the <logs... in that Mail From
line?

-- 
Nigel

Darkness is not the absence of light.
It is the presence of Vin Diesel.




More information about the Snort-sigs mailing list