Dan wrote:
> This is partly about DCC and partly about regex (yes, I've ordered two
> more regex books).
>
>
> First, there's the basic all or nothing output:
>
> X-DCC-servers-Metrics: ui1 1049; bulk Body=many Fuz1=many Fuz2=many
> X-DCC-servers-Metrics: ui1 1049; bulk Body=0 Fuz1=0 Fuz2=0
>
> ...that can be captured with basic rules:
>
> header DCCBODY_m ALL =~ /X-DCC-.{1,500}Body=many/i
> header DCCFUZ1_m ALL =~ /X-DCC-.{1,500}Fuz1=many/i
> header DCCFUZ2_m ALL =~ /X-DCC-.{1,500}Fuz2=many/i
>
> 1) Is capturing header output text the best way to implement DCC in SA?
No, using the DCC plugin that already comes with SA is the best way.
Edit your v310.pre and load the dcc plugin. SA already has pre-scored
and tested rules built in. No further work needed.
