[Snort-sigs] Help with a custom SNORT rule.

Ngo, John, OIG DoD John.Ngo at ...3745...
Tue Nov 6 08:11:00 EST 2012


Hello,

 

I'm attempting to create a rule that detects inbound email with pdf attachments named in numbers only (Ex: 12345.pdf) and the name can be in any digits. Below is what I came up with, however, the rule was not triggered. I'm new to SNORT and still learning it. If anyone could please take a look and let me know if i need to make changes to this rule.

 

Thanks so much in advance.

John

 

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email PDF file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/(^\d+[1-9]+\.pdf$)/"; distance:0; classtype:suspicious-filename-detect; sid:100000106; rev:1;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121106/d4fb0f5c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5597 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121106/d4fb0f5c/attachment.bin>


More information about the Snort-sigs mailing list