i wrote something similar to this but instead of of using .+, i used [^>]+, supposedly a tad faster, iirc. also writing s?(?:<.+>)? as (?:s(?:<[^>]+)?)? should be slightly faster cause if it fails to match on the 's' it won't move on to check for the <stuff>
-Rocky On Thu, Mar 31, 2005 at 11:35:26AM +0200, John Wilcock wrote: > ><h3>h<Leo Breebaart>tt<Tigglet>p:<Graycat>/<SOGP>/get<Seyrenia>po<Lena > >Williams>r<Patrick Dersjant>no<Simon Waldman>dv<Sorcha>d.<Guitar > >Huw>co<The Senior Wrangler>m</h3> > > This looks like an effective way of getting round URIRBLs (though of > course it requires the end user to cut and paste). > > The rule below seems to catch the technique. Any suggestions for > improving it or any other rules to suggest? > > # 2005-03-31 new rule > rawbody local_OBFU_HTTP > /(?!https?:\/\/)h(?:<.+>)?t(?:<.+>)?t(?:<.+>)?p(?:<.+>)?s?(?:<.+>)?:(?:<.+>)?\/(?:<.+>)?\/(?:<.+>)?/im > describe local_OBFU_HTTP HTTP obfuscated with tags > score local_OBFU_HTTP 1.0 > > John. > > -- > -- Over 2500 webcams from ski resorts around the world - www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr > -- ______________________________________________________________________ what's with today, today? Email: [EMAIL PROTECTED] PGP: http://rocky.mindphone.org/rocky_mindphone.org.gpg
signature.asc
Description: Digital signature
