> I'm looking to detect a mismatch between the domain in the href
> property of a URI and a domain in the anchor text itself.
Not using lookbehind, but I long ago wrote these two rules to look for similar
situations. Either could be modified fairly easily to do what you want.
Note: these are probably around 10 years old, written before there were URI
rules (if I remember correctly) so there may be more efficient ways to do these
these days.
Loren
#check for attempting to phish
rawbody __LW_PHISH_2
m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
full __LW_PHISH_2a
m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
meta LW_PHISH_2 __LW_PHISH_2 || __LW_PHISH_2a
score LW_PHISH_2 50
describe LW_PHISH_2 numeric href with https description
#score __LW_PHISH_2 1
#score __LW_PHISH_2a 1
rawbody __LW_PHISH_3 /<a\s+[\s\w=\.]*href=\"http:[^>]+>https:/is
full __LW_PHISH_3a /<a\s+[\s\w=\.]*href=\"http:[^>]+>https:/is
meta LW_PHISH_3 __LW_PHISH_3 || __LW_PHISH_3a
score LW_PHISH_3 50
describe LW_PHISH_3 secure description with insecure link
#score __LW_PHISH_3 10
#score __LW_PHISH_3a 1
