[Mimedefang] OT:sa rule to catch ie exploit
Kevin A. McGrail
kmcgrail at pccc.com
Fri Jan 23 14:12:16 EST 2004
> > uri KAM_URIPARSE /(\%0[01]|\0).*\@/i
>
> Thanks for the information about uri.
> It appears your gex is different then mine, where I only match if 01 or 00
> next to the @ you match if %01 or %00 are anywhere in email.
> Does your regex grab some exploits that my regex misses?
Mine is just simpler. Because I did a URI test, SA is only going to pass it
URI's. Your test is more appropriate for say a BODY or SUBJECT test. You
can assume with a URI test you are going to have a URI.
I think it's a question if the http is needed to perform the exploit.
> >> uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/
Regards,
KAM
More information about the MIMEDefang
mailing list