Dan wrote:
You don't need to use the 'match anything but' components. It's also a generally accepted practice not use use * but rather to put in a restriction on the number of characters that can be matched. Also note that this would have to be a rawbody test.I am trying to write a rule to catch phishing schemes of this nature: <a href="123.123.123.123/login">http://legit-stie.com/login</a>
Is there anything wrong with this regexp? /href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
I realize that it is probably really error-prone, but that is why I am throwing it out to this list. Has anyone else tried to tackle this with success?
The following works for me in that it triggers on your example. However, most of the newer phishing emails I've seen use maps laid over legit hrefs.
rawbody MYPHISHTEST /href=\"\d{1,3}(\.\d{1,3}){3}.{0,20}\".{0,20}\>\s{0,5}http/i
score MYPHISHTEST 0.1
