[Mimedefang] OT:sa rule to catch ie exploit

Lucas Albers admin at cs.montana.edu
Fri Jan 23 13:31:21 EST 2004


Kevin A. McGrail said:
> URI scan system will only pass in url strings and it is theoretical that
> IE
> will completely parse a URL without the http[s] so I leave that part of
> the
> scanning to SA.
>
> uri KAM_URIPARSE       /(\%0[01]|\0).*\@/i

Thanks for the information about uri.
It appears your gex is different then mine, where I only match if 01 or 00
next to the @ you match if %01 or %00 are anywhere in email.
Does your regex grab some exploits that my regex misses?

>> uri IE_ADDRESS_SPOOF_EXPLOIT  /^https?\:\/\/[^\/\s].*%0[1|0]@/
-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana



More information about the MIMEDefang mailing list