Snort mailing list archives

Base 64 encoding

From: phorvati <phorvati () icpnm org>
Date: Thu, 4 Mar 2004 10:39:12 -0500

 Would anyone have any idea how to search for a few (4-5) bytes hex
 signature of a binary executable encoded into base64.  The problem
 is that I keep getting email worm attachments that are actaully
 windows executables.   The hex signature can start
 at the beggining or at any point in the base64 encoded attachment.

 I want to capture this before it gets to our SMTP server.

-- 
Sincerely,
 Petar Horvatic                           
mailto:phorvati () icpnm org






-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- <Possible follow-ups>
- RE: SNORT Rule for netbios brute force break-in Shaffer, Paul D (Feb 11)
- SNORT Rule for netbios brute force break-in Robert Caplan (Feb 11)
- RE: SNORT Rule for netbios brute force break-in larosa, vjay (Feb 11)
  - Base 64 encoding phorvati (Mar 04)