On Thu, 6 Dec 2018, Pedro David Marco wrote:
Hi,
i need some wisdom from SA monks please...
Can anyone explain briefly how header ALL work?
if i try a rule like this:
header TESTRULE1 ALL =~ /.+/ism
Using -D debug mode i only "see" the first header of the email... shouldn't i
see all headers?
it works nice if i check for something slightly more complex, such as....
header TESTRULE2 ALL =~ /From=.*pedro.* To=.*pedro.*/ism
but i am trying to understand how it works... and why i only see one line in
Debug mode...
Thx,
"." apparently doesn't match line breaks (I'm sure that's documented
somewhere in the RE language spec but I can't be bothered to dig it up
right now :) ).
There's two ways to do this:
# All headers, one per hit
header __ALL_HEADERS ALL =~ /.+/sm
tflags __ALL_HEADERS multiple
# All headers together in one hit
header __ALL_HEADERS_ALL ALL =~ /(?:.+$)+/sm
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #6: If you can choose what to bring
to a gunfight, bring a long gun and a friend with a long gun.
-----------------------------------------------------------------------
Tomorrow: The 77th anniversary of Pearl Harbor
