On 4/22/20 5:43 PM, Henrik K wrote: > > I've updated replace_tags with these 4-byte UTF-8 characters, whatever they > are, will look more indepth later.. > you have been faster, I have the same diff on my tree and I was going to commit it :-)
Giovanni > For example replace_tag A ....[\xf0][\x9d][\x97][\xae] > > Now your example hits atleast these rules > > 3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin" > 1.0 BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin > > Will take a day or two to end up in sa-update.. > > > On Wed, Apr 22, 2020 at 04:44:25PM +0200, Brent Clark wrote: >> I want to add, I tried this as well, and it *did* match. But it feels >> clunky. >> >> https://pastebin.com/raw/7FaqnByB >> >> Regards >> Brent >> >> On 2020/04/22 16:14, Brent Clark wrote: >>> Sorry in that example I copied body. >>> I tried rawbody and body. >>> >>> Regards >>> Brent >>> >>> On 2020/04/22 16:11, Brent Clark wrote: >>>> Good day Guys >>>> >>>> I would like to ask it someone could help write a rule for the following >>>> base64 encoded sextorsion. >>>> >>>> https://pastebin.com/raw/MWYmfkuh >>>> >>>> I tried using rawbody. But it was proving to not work and be the right >>>> solution. Below is it me testing. >>>> >>>> i.e. >>>> body BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/ >>>> describe BASESEX Base64 Sextorsion >>>> score BASESEX 2.0 >>>> >>>> If anyone could assist, it would be appreciated. >>>> >>>> King regards >>>> Brent Clark
