Rule to detect IE exploit. Your mileage may vary.
Will match these exploits: Replace ttp with http (so it will slip by my scanner and mcafee.) ttp://[EMAIL PROTECTED]/malicious.html ttp://[EMAIL PROTECTED]/malicious.html ttp://[EMAIL PROTECTED]/malicious.html ttp://[EMAIL PROTECTED] ttp://[EMAIL PROTECTED]/ Attached is the sa local.cf rule to do this. I recommend you leave it at the default level and see what you catch before raising the score. uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/ describe IE_ADDRESS_SPOOF_EXPLOIT Message contains IE address spoof score IE_ADDRESS_SPOOF_EXPLOIT .01 You can see the regexp match by putting these items in a file and running this from the command line against a file: perl -ne 'print if s/(https?\:\/\/[^\/\s].*%0[1|0]@)/$1/' /tmp/test.txt -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
