On Mon, 2014-05-12 at 13:46 -0400, Alex wrote: > On Sun, May 11, 2014 at 9:32 PM, Karsten Bräckelmann <guent...@rudersport.de> > wrote:
> > This is supposed to be a rawbody rule. I know, because I've discussed > > and partly developed the rule(set) in question with you before, back in > > Oct 2013. And the RB prefix is a hint as well. ;) > > > > http://markmail.org/message/ebrm6snglxipj6wx > > Oh, I remember this thread very well. I referenced your helping me > with it in the beginning of this post. You mentioned KAM. ;) > I don't think it was broken all this time, as I know I tested it quite > extensively, but I don't know how it became a body instead of rawbody > rule. Since I thought for sure it was once working, I didn't even > think it was something I did. > > > It wasn't a case of not understanding the difference between body and > rawbody, at least. I plan to experiment further with the body version > you've just created, and see if there's usefulness with that in other > cases. While potentially useful in other cases, it is required to make your rule apply as intended to the sample provided. The actual text sure is less than 200 chars, but with the amount of HTML markup, the rawbody payload doesn't count as short and easily exceeds the 200 char threshold. With the __RB_GT_200 sub-rule fixed to a rawbody rule, the overall rule LOC_SHORT will not match the sample. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
