>-----Original Message----- >From: Dan [mailto:[EMAIL PROTECTED] >Sent: Wednesday, January 12, 2005 6:40 PM >To: [EMAIL PROTECTED] >Subject: phishing rule > > >I am trying to write a rule to catch phishing schemes of this nature: ><a href="123.123.123.123/login">http://legit-stie.com/login</a> > >Is there anything wrong with this regexp? >/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/ > >I realize that it is probably really error-prone, but that is why I am >throwing it out to this list. Has anyone else tried to tackle this >with success?
On top of what Kevin posted, you could search for a shorter phrase, like: .123/login">http Instead of the whole long line. Keeps the memory lower. And rule should be quicker that way. As a general rule of thumb, I try to look for the smallest 'phrase' that will cause the best results. Sounds like nit picking, until you run a few hundred custom rules :) HTH, --Chris