On Thu, Oct 23, 2003 at 10:41:25AM -0400, Chris Santerre wrote:
> Why are some URI rules written normally like this:
> uri name /regex/
> and others:
> uri name m{regex}
> uri name [EMAIL PROTECTED]@
> What is up with the m's?
They're equivalent. Have a look in, f'rex, _Programming Perl_
or _Pe
> -Original Message-
> From: Keith C. Ivey [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 22, 2003 8:14 PM
> To: [EMAIL PROTECTED]
> Cc: Chris Santerre
> Subject: Re: [SAtalk] [RD] Trojaned machines
>
> >
> > This smells of a trojaned box for spam
Chris Santerre <[EMAIL PROTECTED]> wrote:
> Why are some URI rules written normally like this:
> uri name /regex/
> and others:
> uri name m{regex}
> uri name [EMAIL PROTECTED]@
>
> What is up with the m's?
In Perl, a regular expression match is written with 'm',
followed by a delimiter, then
Hi Chris,
I have been using the following uri test for about 3 weeks without issue:
describe MY_URI_TCP_PORTMY: Non-standard TCP port in URL
uri MY_URI_TCP_PORT/:\d{2,4}\D/
scoreMY_URI_TCP_PORT2.0
It will boost the score on top of what SA already chatches but will also
catch
Chris Santerre <[EMAIL PROTECTED]> wrote:
> http://203.232.101.125:3344
>
> This smells of a trojaned box for spamming. I'm thinking of
> writing a rule that looks for http links with IP addresses and a
> port number. I'm thinking the FP rate would be low.
>
> It is tough to remember everything
At 10:18 AM 10/22/2003, Chris Santerre wrote:
It is tough to remember everything SA looks for. Does 2.60 have something
like this? Comments?
rawbody MY_TROJANED_HOST
/http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{2,4}\//
describe MY_TROJANED_HOST Possible Trojaned box used for spam hosting
score
