On Feb 14, 2014, at 11:53 AM, Adam Katz <antis...@khopis.com> wrote:
> some of your sample's strings had an extra character on the end.
>
To be clear, that wasn't my sample; I am not the originator of this thread.
> This version of the rule is more expensive, but is safer to score higher
> (maybe 3-4 points): body HEXHASH_WORD_5
> /\b[a-z]{1,10}\s([0-9a-f]{30})(?:.{0,99}\b[a-z]{1,10}\s\1){4}/
> describe HEXHASH_WORD_5 Five copies of the same hexadecimal hash, each
> following a word
What about this, a variant of what I posted earlier? It requires 10 matches,
but I believe it does the same thing as yours except it does not limit the word
size between hashes, and allows for whitespace:
rawbody AC_REPEATED_HASHCODE
/(\s[a-f0-9]{25,}\s)(?:(?:\s*\w+)+\1){10}
Yours also limits the amount of characters between repeated hashes to 99, but
this might well not be the case.
> I know you don't have Bayes enabled
Again to reiterate, I'm not the originator...
Cheers.
--- Amir
