[Snort-sigs] Rule thoughts

James Lay jlay at ...3266...
Thu Sep 6 15:08:14 EDT 2012

Hey all,

So...been keeping my eye on:


and was interested in this portion to have Snort look at:

     font-family: "MyFont";
     src: url(mailto:xxx<... approximately 2,020 characters removed 

My thought was to do something like:

content: "mailto:<"; content: ">"; within: 1500;

or would offset be more appropriate?  Any pointers would help...thank 


More information about the Snort-sigs mailing list