filename rule problem

[DNSAdmin]

At 02:53 PM 10/27/2003 -0500, you wrote:

--SNIP--

>For reference the default rule is:
>deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
>hiding     Attempt to hide real filename extension
>
>Which looks for any 3 or 4 character extension that starts with a letter,
>followed by any 3 character extension.
>
>1) double 3 char extensions are blocked, but I removed numerics from the
>second extension, I don't know of any executable formats used by viruses
>that have numbers in them, but know of several that are commonly done with
>lots of dots in the filename (ie: .mp3)
>
>deny    \.[a-z][a-z0-9]{2}\s*\.[a-z]{3}$        Found possible filename
>hiding     Attempt to hide real filename extension
>
>
>2) I created several _specific_ 4 character extensions to look for a hidden
>3 character after. I was having problems with things like resumes sent to
>HR being named "kettler.matt.doc" and being caught, so I did not want a
>generic "any 4 character extension" rule. Of course, you could still have
>problems with 3 character names like "kettler.joe.doc", but those are less
>common. 4-letter is generally more problematic as it gets quite a variety
>of surnames as well, ie: "joseph.hill.doc". There's also not very many
>4-letter file extensions that are commonly used, so making a list of them
>is much easier than making a list of 3 char extensions.
>
>I specifically picked common 4 character extensions which are actually used
>and that a user might mistake as being something "safe" if they can't see
>the extra extension.
>
>deny    \.text\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.jpeg\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.mpeg\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.pict\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.jiff\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.html\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.tiff\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.vrml\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.conf\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.diff\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.java\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.cert\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension
>deny    \.icon\s*\.[a-z]{3}$    Found possible filename
>hiding                     Attempt to hide real filename extension

Hey thanks, Matt! I like your solution. I think it is more correct and will
fit my needs as well as Chris, who had initially brought up this subject.

Thanks!