[Esd-l]
John D. Hardin
jhardin at impsec.org
Wed Feb 25 06:30:52 PST 2004
On Tue, 24 Feb 2004, Smart,Dan wrote:
> Look at Nikes recipe for good tags
> (Or use it as is like I do)
> http://agriroot.aua.gr/~nikant/nkvir/
I took a look at that, and I couldn't clearly see any generic Windows
executable signature strings. It looks like basically:
1) test (using straight procmail) for MIME headers about an
executable attachment, then
2) scan for signature strings to identify which specific attack
Those rules look like a limited subset of what the Sanitizer already
does. I've discussed before why pure procmail cannot reliably detect
attachment-based attacks.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
38 days until the Slovakian Presidential Election
More information about the esd-l
mailing list