[Esd-l] Revised SoBig-F local rule
John D. Hardin
jhardin at impsec.org
Thu Aug 21 10:14:06 PDT 2003
On Thu, 21 Aug 2003, Scott Taylor wrote:
> That new rule doesn't seem to catch:
> REPORT: Trapped poisoned executable "wicked_scr.scr"
It's not intended to. The sanitizer catches those just fine without
any special local rules.
The only reason I published this update was that I misread the
Symantec writeup and thought SoBig.F had changed the .ZIP file
attachment names, when actually it has stopped using .ZIP files
entirely (thank goodness).
Apart from trapping specific .ZIP-file-based attacks, the local rules
are only intended to identify *which* attack was trapped.
In the case of SoBig.F, where it's .pif and .scr files and the sender
address is forged, there's really no point to even having a local
rule, as it doesn't improve the chances of trapping it and there's no
way to notify the sender what they are infected with.
> There are a couple of very long lines there, should they be one line?
> ie:
> * 9876543210^1 ^Content-(Type|Disposition):.*name *=
> *"?(action|your_(details|document)|application|details|document(_all)?|screensaver|movie|thank_you|wicked_scr)_?[0-9]*\.zip"?
Yes. Mailers like to wrap lines.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
72 days until Matrix Revolutions
More information about the esd-l
mailing list