Martin Gregorie schrieb:
> What makes you think I'm using URI tests or that any of these would be
> recognised as a URI? My tests are simple body tests with {1,n} limits on
> repetitions to keep things under control.
>
So you want obfuscated urls to be recognised as urls but not treated as
urls? If this is just for a few own pcre body rules, I'd suggest you to
handle those de-obfuscations in your rules. You can also publish your
own plugin, if you think that it is worth to share. But for the most
environments these de-obfuscations will be too dangerous (imo) and to
easy to circumvent.
> what they want. What's the betting they'd even call their help desk to
> complain?
>
And how many calls will your receive for false positives? Maybe this
depends on one's environment, but I'd prefer having a few non-tagged
spams than a bunch of FPs.
Anyway.. I don't want to argue here. I throwed in my pennies and hope
the SA developers agree.
Cheers, Jan
