On Mon, Sep 28, 2009 at 12:21:29PM +0200, Per Jessen wrote:
> Henrik K wrote:
>
> > Current iXhash has many bugs, which I noticed when I worked on my own
> > version with SA native DNS lookups.
> >
> > One of the bigger problems of iXhash is probably of historical nature.
> > There is no decoding of messages (base64 etc).
> >
> > Looking at method #1, which is supposed to apply on messages with 20
> > spaces and 2 newlines:
> >
> > if (($body =~ /(?>\s.+?){20}/g) || ( $body =~ /\n.*\n/ ) ){
> >
> > Since it's buggily OR'd instead of &&
>
> I think you've got some old code there. My ixhash plugin has this line
> instead:
>
> if (($body =~ /([\s\t].+?){20}/ ) && ($body =~ /.*$.*$.*/)) {
I only know of http://ixhash.sf.net/ which results in iXhash-1.5.5.zip.
So it seems you have an "unofficial" version, which really offers very
little improvement. Not only are those regex extremely slow (I just
benchmarked), but it also happily hashes all base64 messages with 20 lines,
which probably also generates some nice FPs.
Cheers,
Henrik
