[Snort-sigs] Help with a custom SNORT rule.

lists at ...3397... lists at ...3397...
Tue Nov 6 10:56:27 EST 2012


On 11/06/2012 09:48 AM, lists at ...3397... wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Test email with PDF
> attachment"; flow:established,to_server; content:"Content-Disposition|3a|";
> nocase; pcre:"filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri";
> classtype:suspicious-filename-detect; sid:x; rev:1;)

Missing a leading forward slash (sorry for the list spam), rule is untested,
hopefully it helps.

pcre:"/filename\x20*?=[\x20\x22\x27]*?\d+\.pdf[\x20\x22\x27]?/Ri";




More information about the Snort-sigs mailing list