- Original Message -
From:
Chris Santerre
To: 'Chris Trudeau-Personal' ; [EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 9:00
AM
Subject: RE: [SAtalk] Not sure
how...
This has
been discussed. The rules will not hit because of the embedded mime code. T
This is a bit
weird.I have the following rules in my local.cf:rawbody
MY_PERCENT_OBFU /\%..\%..\%../idescribe MY_PERCENT_OBFU Tries to OBFU link
with % signsscore MY_PERCENT_OBFU 1.55rawbody MY_IMAGE_FILEĀ
/.*name=.*\.(pic|gif|jpg)("|$)/describe MY_IMAGE_FILE Includes an image file
either e
this thing got me again today... One squeaked through...
My rule didn't fire, but has in the past...not sure what I'm donig
wrong...but here is the rule:
rawbody MY_IMAGE_FILE /filename="[^"]*\.(gif|jpg)"/
describe MY_IMAGE_FILE Includes an image file either embedded or otherwise
score MY_IMAGE_
meta rule includingattachment
detail...any ideas?
CT
- Original Message -
From: "Chris Trudeau-Personal" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 19, 2003 7:08 AM
Subject: [SAtalk] HEX IN URI and attachments
> All,
>
> Is it safe to sa
All,
Is it safe to say that no legitimate email would try and hide a URI in the
body of a message by using the hex equivalent of the link?
It seems to me that is the case.
if so, I would like to write a rule that detects the use of this tactic.
Also, is it possible for SA to detect attachments?
Bad idea...there are lots of sites out there that block ICMP and that don't
have related "www" sites.
CT
- Original Message -
From: "Michael Clark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 13, 2003 4:51 PM
Subject: [SAtalk] Rule for no web site?
> Would
