[Snort-sigs] Low hanging fruit #3

James Lay jlay at ...3266...
Mon Oct 22 11:53:22 EDT 2012


Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"POLICY 1.usa.gov URL 
in email, possible spam redirect"; flow:to_server, established; 
file_data; content:"1.usa.gov"; pcre:"/\x2f[a-f0-9]{6,8}/msi"; 
reference:url,http://www.symantec.com/connect/blogs/spam-gov-urls; 
classtype:bad-unknown; sid:10000034; rev:1;)

Doubt this will be useful for long.  Sanity tested and running in a 
live environment, but no pcaps.

James




More information about the Snort-sigs mailing list