Re: Rule to detect mailsploit

John Hardin Wed, 06 Dec 2017 09:31:59 -0800

On Wed, 6 Dec 2017, Antony Stone wrote:

On Wednesday 06 December 2017 at 18:15:55, John Hardin wrote:

On Wed, 6 Dec 2017, Kevin A. McGrail wrote:


Something like this:

header    __KAM_MAILSPLOIT1   From =~ /[\0]/
describe    __KAM_MAILSPLOIT1    RFC2047 Exploit
https://www.mailsploit.com/index

And a paired rules for \n looking for maxhits.  Beyond that, what's a
good control character regex?

From memory (sorry, in a meeting):  [\x00-\x19]

Why not up to 0x1F?


...because I was distracted by the meeting? :)

[\x00-\x1f]

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 Tomorrow: The 76th anniversary of Pearl Harbor

Re: Rule to detect mailsploit

Reply via email to