Re: Need rule to catch lots of font changes

Alexandre Boyer Fri, 19 Apr 2013 09:07:13 -0700

Hi,

your meta is wrong.


It should be:

meta  LOC_MULT_BR  __LOC_BR > 10

Note that it will not match "just" 10 instances of this tag. It will
match "at least" ten of them.

If you want exactly 10, you have to do something like:

meta  LOC_MULT_BR  __LOC_BR = 10

Never done that, maybe you need to do "greater than 9 smaller than 11"
instead.

Alex, from prypiat.
Yes, I recycle.


On 13-04-18 07:32 PM, Alex wrote:
> Hi all,
>
>
>     just write a single detection rule for FONT face= (rawbody or
>     uri_detail) and use tflag multiple.
>
>     Then meta this with a counter.
>
>     eg:
>     rawbody  __BLAH  /<FONT face=/
>     tflags  __BLAH  multiple maxhits=21
>     meta  MULTPL_FONTS  __BLAH > 20
>     score  MULTPL_FONTS  5.0
>     describe MULTPL_FONTS  At least 20 FONT tags found
>
>
> I'm trying to adapt this to work with multiple <br> tags, but I must
> be doing something wrong. I've tried changing it to match just 10
> instances of <br>, just for testing. Here's what I have:
>
> rawbody  __LOC_BR  /<br>/
> tflags  __LOC_BR  multiple maxhits=11
> meta  LOC_MULT_BR > 10
> score  LOC_MULT_BR 2.0
> describe LOC_MULT_BR At least 10 br tags found
>
> Here is the body example I'm working with:
>
> <font color=3D'black' size=3D'2' face=3D'arial'><a
> href=3D"http://www.paren=
> ts-partage.org/components/com_content/bestinfo.php?tkogwruam714qhdgbfo
> <http://ts-partage.org/components/com_content/bestinfo.php?tkogwruam714qhdgbfo>">htt=
> p://www.parents-partage.org/components/com_content/bestinfo.php?tkogwruam71=
> <http://www.parents-partage.org/components/com_content/bestinfo.php?tkogwruam71=>
> 4qhdgbfo</a><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br=
> ><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><b=
> r><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><=
> br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>=
> <br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br=
> ><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>______________=
> ______<br>The stresses.. They just don't care. They're like you on
> Sunday m=
> orning. -- Jerry Griffin<br>
> </font>
>
> Any idea why this doesn't work as expected? I've pasted an example here:
>
> http://pastebin.com/qprT2Rze
>
> Thanks for any ideas.
> Alex
>
>
>
>  
>
>
>
>
>
>     Best regards,
>
>     Alex, from prypiat.
>     Yes, I recycle.
>
>
>     On 13-04-14 08:46 PM, Marc Perkel wrote:
>     > Anyone want to write a rule to catch this? Lots of font and color
>     > changes.
>     >
>     > <FONT face="Courier New" size="2" color="#e8f8f6">
>     > <p>treatment for the summer holidays.</p>
>     > <p><a href="http://jmb.tw/16xul";>Achieve all your goals and this
>     video
>     > will
>     > help you.</a></p>
>     > <p><FONT face="Charcoal, sans-serif" size="+1"
>     color="#e4f4f2">One</FONT>
>     > <FONT face="Impact, Times New Roman" size="+2"
>     color="#e4fcf9">day</FONT>
>     > <FONT face="Palatino Linotype, Palatino, serif" size="-1"
>     > color="#e0fffb">a</FONT> <FONT face="Lucida Console, Times New
>     Roman"
>     > size="+2" color="#e8fffc">younger</FONT> <FONT face="Impact,
>     Times New
>     > Roman" size="-1" color="#e4fbf8">colleague,</FONT> <FONT
>     face="Tahoma,
>     > Geneva, sans-serif" size="-3" color="#f0fffd">one</FONT> <FONT
>     > face="Courier, monospace"
>     > size="5" color="#ecfbf9">of</FONT> <FONT face="Comic Sans MS,
>     cursive"
>     > size="3" color="#e0fefa">my</FONT> <FONT face="Book Antiqua,
>     Times New
>     > Roman" size="-1" color="#e8fefb">most <FONT face="Arial" size="+2"
>     > color="#e0fdf9">intimate</FONT></p>
>     > <p><FONT face="Comic Sans MS, Times New Roman" size="+2"
>     > color="#f8fffe">friends,</FONT> <FONT face="Tahoma, Geneva,
>     sans-serif"
>     > size="-3" color="#f6fdfc">who</FONT> <FONT face="Courier New,
>     Courier,
>     > monospace" size="3" color="#f4fbfa">had</FONT> <FONT face="Lucida
>     > Console,
>     > Monaco, monospace" size="+2" color="#f2f9f8">visited</FONT> <FONT
>     > face="Arial, Helvetica, sans-serif" size="1"
>     color="#f0fefc">the</FONT>
>     > <FONT face="Courier New" size="5"
>     color="#ecfaf8">patient-</FONT> <FONT
>     > face="Century Gothic, Times New Roman"
>     > size="1" color="#e8f6f4">Irma-</FONT> <FONT face="Impact, Arial"
>     size="1"
>     > color="#e4f2f0">and</FONT> <FONT face="Lucida Console, Monaco,
>     monospace"
>     > size="-2" color="#e8fdfa">her</p>
>     > <p><FONT face="Comic Sans MS, Arial" size="1"
>     color="#e4f9f6"></FONT>
>     > </p>
>     > </FONT>
>     >
>     >
>
>

signature.asc
Description: OpenPGP digital signature

Re: Need rule to catch lots of font changes

Reply via email to