Rule to detect IE exploit. http://vil.nai.com/vil/content/v_100927.htm
Your virus scanners detect this exploit. (mcafeee/clamscan...) Your mileage may vary. Will match these exploits: Replace ttp with http (so it will slip by my scanner and mcafee.) ttp://[EMAIL PROTECTED]/malicious.html ttp://[EMAIL PROTECTED]/malicious.html ttp://[EMAIL PROTECTED]/malicious.html ttp://[EMAIL PROTECTED] Attached is the sa local.cf rule to do this. I recommend you leave it at the default level and see what you catch before raising the score. uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/ describe IE_ADDRESS_SPOOF_EXPLOIT Message contains IE address spoof score IE_ADDRESS_SPOOF_EXPLOIT .01 You can see the regexp match by putting these items in a file and running this from the command line against a file: perl -ne 'print if s/(https?\:\/\/[^\/\s].*%0[1|0]@)/$1/' /tmp/test.txt Thanks for everyone who posted up other versions of this rule, which I based this rule off of. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
