On Wed, 10 Mar 2004 [EMAIL PROTECTED] wrote: > I'm trying to catch viral attachments, namely those with the extention scr, > exe, bat, com, pif, etc. The Content-Disposition header to catch the > filename. > I tried it, using a working RegEx which I verified in a testing program, but > SA doesn't pick it up. > Is there an example on how to do this?
The trick is, only the 'full' rules will check the attachments. (Unwrap the test line): full LOC_DBLEXTONATTACH /name="?[^"]*\.(?:html?|txt|doc|rtf|jpe?g| gif|wpd|pdf|zip)\.(?:pif|exe|com|cmd|bat|scr)/i describe LOC_DBLEXTONATTACH Message attachment has VIRUS-style double ext score LOC_DBLEXTONATTACH 0.5 Note, this is a minimal test and will also catch messages that give examples of the double extension IN the body of a message, and trigger on quoted mime headers with double extensions in bounced mail, etc. - Charles
