Gray, Richard wrote: >When I worked on this, I basically took the anti_drug ruleset, and added >a check to ensure that the rules only fire on obfuscated versions of the >name. This can be done using negative lookahead in the rule > >Header SAMPLE_RULE Subject =~ /(?!viagra)v[1i][a4]gr[4a]/i > >As an example (and only an example. I wrote it off the top of my head >with no linting/brainwork) > >Again, I'm happy to provide further input if you need it. > >
Why not just use the existing obfu detection in the antidrug ruleset.. Just set the scores of all the non-obfu rules in the ruleset to 0.001 and you're done.
