All,
Is it safe to say that no legitimate email would try and hide a URI in the
body of a message by using the hex equivalent of the link?
It seems to me that is the case.
if so, I would like to write a rule that detects the use of this tactic.
Also, is it possible for SA to detect attachments?
meta rule includingattachment
detail...any ideas?
CT
- Original Message -
From: "Chris Trudeau-Personal" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 19, 2003 7:08 AM
Subject: [SAtalk] HEX IN URI and attachments
> All,
>
> Is it safe to sa
this thing got me again today... One squeaked through...
My rule didn't fire, but has in the past...not sure what I'm donig
wrong...but here is the rule:
rawbody MY_IMAGE_FILE /filename="[^"]*\.(gif|jpg)"/
describe MY_IMAGE_FILE Includes an image file either embedded or otherwise
score MY_IMAGE_
This is a bit
weird.I have the following rules in my local.cf:rawbody
MY_PERCENT_OBFU /\%..\%..\%../idescribe MY_PERCENT_OBFU Tries to OBFU link
with % signsscore MY_PERCENT_OBFU 1.55rawbody MY_IMAGE_FILEĀ
/.*name=.*\.(pic|gif|jpg)("|$)/describe MY_IMAGE_FILE Includes an image file
either e
- Original Message -
From:
Chris Santerre
To: 'Chris Trudeau-Personal' ; [EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 9:00
AM
Subject: RE: [SAtalk] Not sure
how...
This has
been discussed. The rules will not hit because of the embedded mime code. T
Bad idea...there are lots of sites out there that block ICMP and that don't
have related "www" sites.
CT
- Original Message -
From: "Michael Clark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 13, 2003 4:51 PM
Subject: [SAtalk] Rule for no web site?
> Would
