I'm trying to create a rule that will detect a vulnerable link within a message:
body BADD_LINK /(?:href|src).*\.(?:bat|chm|dll|exe|lnk|pif|scr)["'\s>]/i describe BADD_LINK Contains a link to a vulnerable file score BADD_LINK 0.1Something isn't right because tests show nothing is being detected. It could be too, I'm not looking at something right.
