16 lines
559 B
Plaintext
16 lines
559 B
Plaintext
|
|
rule Tool_Win32_MailSmtp__MailSmtp{
|
|
meta:
|
|
description = "Tool:Win32/MailSmtp!!MailSmtp,SIGNATURE_TYPE_ARHSTR_EXT,23 00 23 00 06 00 00 "
|
|
|
|
strings :
|
|
$a_81_0 = {48 45 4c 4f } //5 HELO
|
|
$a_81_1 = {45 48 4c 4f } //5 EHLO
|
|
$a_81_2 = {32 35 30 20 4f 4b } //5 250 OK
|
|
$a_81_3 = {44 41 54 41 0d 0a } //10
|
|
$a_81_4 = {52 43 50 54 20 54 4f 3a 3c } //10 RCPT TO:<
|
|
$a_81_5 = {4d 41 49 4c 20 46 52 4f 4d 3a 3c } //10 MAIL FROM:<
|
|
condition:
|
|
((#a_81_0 & 1)*5+(#a_81_1 & 1)*5+(#a_81_2 & 1)*5+(#a_81_3 & 1)*10+(#a_81_4 & 1)*10+(#a_81_5 & 1)*10) >=35
|
|
|
|
} |