> -----Original Message----- > From: Fred > > Hello, > I am out the door on my way to work but we need a rule for a > new IE exploit just released, Visit this page, the exploit is > harmless but to the spoofer, it's man's best friend. > > http://www.zapthedingbat.com/security/ex01/vun1.htm > > I think this should be put in the next SA release!!
I am not the best at this but here is my crack at it: describe MY_URI_IEEXPLOIT MY: IE Exploit uri MY_URI_IEEXPLOIT /https?:\/\/(\w+\-?\.?)+\W@/i score MY_URI_IEEXPLOIT 4.0 Or maybe: uri MY_URI_IEEXPLOIT /https?:\/\/.*\%(?:[0-1][0-1a-f]|7f)@/i That includes non-existing %11 but it is clean. Or combined: uri MY_URI_IEEXPLT /https?:\/\/(\w+\-?\.?)+\%(?:[0-1][0-1a-f]|7f)@/i --Larry ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
