Stef: Why bother? Seriously..... If this is a corporate environment you want to do this in then the sheer volume of positives you will get are simply a waste of logfile space and the threat should be mitigated in other ways that actually blocks them and that mitigation method should be able to report them if it's a reporting issue you have. If it's a personal machine then you are going to see it on your AV anyway.... So what's the point?

There is a generic rule out there.... I can find it if you want, that simply reports _any_ file type in mail that is potentially harmful.... I run that rule in my corporate environment on an internal sensor. But it's only there to alert me that the firewall failed to strip it from the email anyway.... Belt and braces approach but it makes me feel all warm and fuzzy...

If you want to do this for learning alone then the way to create your snort rules is to start with a known issue, in this case Base64 encoding, and run the same pattern numerous times. While you do this run a packet sniffer like Ethereal to capture the actual SMTP or POP packets as they run to the server or the client. Then you need to take the data packets and examine them thoroughly. What you are looking for is the common pattern - somewhere in the entire data transfer there is _always_ be XXXXX somewhere in one of the packets. Now you have to be a tad careful.... 'cos "rcpt to:" will be in any email so that wouldn't be a good match.... so if you don't understand the underlying protocol then you need to research that first to see what is "normal". What you are looking for is the _unique_ or that which is so uncommon that the false positives don't make you ignore the alert altogether.

I doubt that there is a "rule" to catch Base64 encoding since it is too broad of a rule and the packets that imply the encoding probably do not carry the "signature" you are looking for. This complicates the rules and the subsequent alerting quite significantly more difficult since you need to try to start stringing packets together using the dynamic rules.....

All that probably wasn't a huge amount of help but I hope you get the picture.....