[Mimedefang] OT:sa rule to catch ie exploit
Lucas Albers
admin at cs.montana.edu
Fri Jan 23 13:31:21 EST 2004
Kevin A. McGrail said:
> URI scan system will only pass in url strings and it is theoretical that
> IE
> will completely parse a URL without the http[s] so I leave that part of
> the
> scanning to SA.
>
> uri KAM_URIPARSE /(\%0[01]|\0).*\@/i
Thanks for the information about uri.
It appears your gex is different then mine, where I only match if 01 or 00
next to the @ you match if %01 or %00 are anywhere in email.
Does your regex grab some exploits that my regex misses?
>> uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list