On Thu, 19 Mar 2009, LuKreme wrote:
On 19-Mar-2009, at 04:27, John Hardin wrote:
No reason it shouldn't be. I'd suggest something like a rawbody match
on /<object[\s>]/i meta'd with HTML_MESSAGE should be worth a few
(dozen) points.
That seems like a good idea. You have anything?
No, and I'd be concerned about the possibility of false positives. The
fact that SA rules aren't context-sensitive presents a problem here. You
can't reliably distinguish a match between an actual OBJECT tag and mere
discussion of an OBJECT tag (e.g. with syntax examples), even if you meta
it with HTML_MESSAGE.
Hence my subsequent suggestion for an HTML tag scoring plugin. That
_would_ be context-sensitive and I'd feel safe giving an OBJECT tag 20
points that way.
Another alternative would be a way to mark a rule so that it only applies
to body parts of a given MIME type, so the rule above could only be run
against the text/html body parts.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
