[Snort-sigs] Help with a custom SNORT rule.

lists at ...3397... lists at ...3397...
Tue Nov 6 10:48:08 EST 2012

On 11/06/2012 07:11 AM, Ngo, John, OIG DoD wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email PDF file
> attachment"; flow:to_server,established; content:"Content-Disposition|3A|";
> nocase; pcre:"/(^\d+[1-9]+\.pdf$)/"; distance:0;
> classtype:suspicious-filename-detect; sid:100000106; rev:1;)

Using RFC 2183... not sure if outdated.

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email with PDF
attachment"; flow:established,to_server; content:"Content-Disposition|3a|";
nocase; pcre:"filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri";
classtype:suspicious-filename-detect; sid:x; rev:1;)

I've been back and forth on how to effectively make this performance friendly
and it's going to be PCRE-heavy regardless; I like the idea of keeping the PCRE
relative to the previous content match from a performance aspect.


More information about the Snort-sigs mailing list