On Thu, 19 Mar 2009, LuKreme wrote:
On 19-Mar-2009, at 05:41, John Hardin wrote:
On Thu, 19 Mar 2009, LuKreme wrote:
> On 19-Mar-2009, at 04:27, John Hardin wrote:
> > No reason it shouldn't be. I'd suggest something like a rawbody match
> > on /<object[\s>]/i meta'd with HTML_MESSAGE should be worth a
> > few (dozen) points.
>
> That seems like a good idea. You have anything?
No, and I'd be concerned about the possibility of false positives. The
fact that SA rules aren't context-sensitive presents a problem here.
You can't reliably distinguish a match between an actual OBJECT tag and
mere discussion of an OBJECT tag (e.g. with syntax examples), even if
you meta it with HTML_MESSAGE.
If it's an html message and it includes an <object tag it's suspicious.
In an html message, a discussion would be <OBJECT
But if the message also had a text/plain version, the opening angle
bracket would not be escaped. FP.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
