[Snort-sigs] Rule thoughts

James Lay jlay at ...3266...
Thu Sep 6 15:08:14 EDT 2012


Hey all,

So...been keeping my eye on:

http://seclists.org/bugtraq/2012/Sep/29

and was interested in this portion to have Snort look at:

   @font-face
   {
     font-family: "MyFont";
     src: url(mailto:xxx<... approximately 2,020 characters removed 
...>xxx);
   }

My thought was to do something like:

content: "mailto:<"; content: ">"; within: 1500;

or would offset be more appropriate?  Any pointers would help...thank 
you.

James






More information about the Snort-sigs mailing list