[Snort-sigs] UTF-8 BOM

James Lay jlay at ...3266...
Mon Apr 8 15:50:28 EDT 2013

It's a Monday, so let's start with something exciting:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
UTF-8 BOM in ZIP"; flow:to_server,established; file_data; content:"zip"; 
content:"|EF BB BF 50 B4|"; metadata:policy balanced-ips drop, policy 
security-ips drop, service smtp; 
classtype:trojan-activity; sid:10000045; rev:1;)

Or not ;)..thoughts/cleanups/anything_that_would_make_this_useful are 


More information about the Snort-sigs mailing list