>-----Original Message-----
>From: Dan [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, January 12, 2005 6:40 PM
>To: [EMAIL PROTECTED]
>Subject: phishing rule
>
>
>I am trying to write a rule to catch phishing schemes of this nature:
><a href="123.123.123.123/login">http://legit-stie.com/login</a>
>
>Is there anything wrong with this regexp?
>/href=\"\d{1,3}(\.\d{1,3}){3}[^\"]*\"[^\>]*\>\s*http/
>
>I realize that it is probably really error-prone, but that is why I am
>throwing it out to this list.  Has anyone else tried to tackle this
>with success?

On top of what Kevin posted, you could search for a shorter phrase, like:

.123/login">http

Instead of the whole long line. Keeps the memory lower. And rule should be
quicker that way. 

As a general rule of thumb, I try to look for the smallest 'phrase' that
will cause the best results. Sounds like nit picking, until you run a few
hundred custom rules :) 

HTH,
--Chris

Reply via email to