[Snort-sigs] Rule thoughts

Joel Esler jesler at ...435...
Thu Sep 6 15:14:41 EDT 2012


Think in the reverse order.

content:"mailto:<"; content:!">"; distance:0; within:1500;

Although you if you have a mailto that is longer than say... 100, that's probably bad.

On Sep 6, 2012, at 3:08 PM, James Lay <jlay at ...3266...> wrote:

> Hey all,
> 
> So...been keeping my eye on:
> 
> http://seclists.org/bugtraq/2012/Sep/29
> 
> and was interested in this portion to have Snort look at:
> 
>   @font-face
>   {
>     font-family: "MyFont";
>     src: url(mailto:xxx<... approximately 2,020 characters removed 
> ...>xxx);
>   }
> 
> My thought was to do something like:
> 
> content: "mailto:<"; content: ">"; within: 1500;
> 
> or would offset be more appropriate?  Any pointers would help...thank 
> you.
> 
> James
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list