On 14 Jul 2020, at 20:20, Loren Wilton wrote:
I'm looking to detect a mismatch between the domain in the href
property of a URI and a domain in the anchor text itself.
Not using lookbehind, but I long ago wrote these two rules to look for
similar situations. Either could be modified fairly easily to do what
you want.
Note: these are probably around 10 years old, written before there
were URI rules (if I remember correctly) so there may be more
efficient ways to do these these days.
Loren
#check for attempting to phish
rawbody __LW_PHISH_2
m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
full __LW_PHISH_2a
m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
meta LW_PHISH_2 __LW_PHISH_2 || __LW_PHISH_2a
score LW_PHISH_2 50
describe LW_PHISH_2 numeric href with https description
#score __LW_PHISH_2 1
#score __LW_PHISH_2a 1
rawbody __LW_PHISH_3 /<a\s+[\s\w=\.]*href=\"http:[^>]+>https:/is
full __LW_PHISH_3a /<a\s+[\s\w=\.]*href=\"http:[^>]+>https:/is
meta LW_PHISH_3 __LW_PHISH_3 || __LW_PHISH_3a
score LW_PHISH_3 50
describe LW_PHISH_3 secure description with insecure link
#score __LW_PHISH_3 10
#score __LW_PHISH_3a 1
There are rough equivalents to these in the current default rules:
HTTPS_IP_MISMATCH and HTTPS_HTTP_MISMATCH.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
