[Snort-sigs] Rule thoughts

James Lay jlay at ...3266...
Thu Sep 6 15:22:56 EDT 2012


On 2012-09-06 13:14, Joel Esler wrote:
> Think in the reverse order.
>
> content:"mailto:<"; content:!">"; distance:0; within:1500;
>
> Although you if you have a mailto that is longer than say... 100,
> that's probably bad.
>
> On Sep 6, 2012, at 3:08 PM, James Lay <jlay at ...3266...> 
> wrote:
>
>> Hey all,
>>
>> So...been keeping my eye on:
>>
>> http://seclists.org/bugtraq/2012/Sep/29
>>
>> and was interested in this portion to have Snort look at:
>>
>>   @font-face
>>   {
>>     font-family: "MyFont";
>>     src: url(mailto:xxx<... approximately 2,020 characters removed
>> ...>xxx);
>>   }
>>
>> My thought was to do something like:
>>
>> content: "mailto:<"; content: ">"; within: 1500;
>>
>> or would offset be more appropriate?  Any pointers would 
>> help...thank
>> you.
>>
>> James

Thanks for fixing my thinking Joel :)  Guess maybe a more generic rule 
would work as well..."Unusually long mailto detected" or something.  
I'll see what I can come up with.

James





More information about the Snort-sigs mailing list