[Snort-sigs] Rule thoughts

waldo kitty wkitty42 at ...3507...
Fri Sep 7 11:21:57 EDT 2012


On 9/6/2012 15:14, Joel Esler wrote:
> Think in the reverse order.
>
> content:"mailto:<"; content:!">"; distance:0; within:1500;
>
> Although you if you have a mailto that is longer than say... 100, that's probably bad.

i guess that means that UUCP bangpaths are seen as "BadJuJu<tm>? ;) O:)





More information about the Snort-sigs mailing list