Hey guys,
I've developed a few rules which seem to be hitting well, could I get
these into the sandbox?
TO_EQ_FROM_NAME will match headers that look like the following:
From: "t...@example.com" <u...@anotherdomain.com>
To: t...@example.com
----8<----
header __PDS_TO_EQ_FROM_NAME_1 ALL =~
/\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
header __PDS_TO_EQ_FROM_NAME_2 ALL =~
/\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 ||
__PDS_TO_EQ_FROM_NAME_2)
describe PDS_TO_EQ_FROM_NAME To: name same as From: address
----8<----
FROM_2_EMAILS - inspired by the Khopesh rule of the same name. Matches
when the from name contains an email address different to the from
address, such as:
From: "t...@example.com" <u...@anotherdomain.com>
----8<----
header __PDS_FROM_2_EMAILS From =~
/^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
meta PDS_FROM_2_EMAILS ((__PDS_FROM_2_EMAILS) && !(__VIA_ML &&
__VIA_RESIGNER))
----8<----
LOC_WP - detects potentially exploited WP sites, along with other
characteristics can score appropriately - not sure what the thoughts are
on multiple rules that match the same thing as below:
----8<----
uri __PDS_LOC_WP
m;/(?:wp-content|wp-includes)/.*(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.eot|\.pdf).{4}$;i
meta PDS_LOC_WP (__PDS_LOC_WP && (__KAM_BODY_LENGTH_LT_1024 ||
__HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 ||
__HTML_LENGTH_1536_2048))
score PDS_LOC_WP 1.0
meta PDS_LOC_WP_SHORT (__PDS_LOC_WP && __KAM_BODY_LENGTH_LT_512)
meta PDS_LOC_WP_VSHORT (__PDS_LOC_WP && __KAM_BODY_LENGTH_LT_256)
----8<----
LOC_WP_POMO - only certain files should be in the pomo dir - this
detects ones that shouldn't be
----8<----
uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/;i
uri __PDS_LOC_WP_POMO_1 m;/wp-includes/pomo/entry\.php;i
uri __PDS_LOC_WP_POMO_2 m;/wp-includes/pomo/(?:po|mo)\.php;i
uri __PDS_LOC_WP_POMO_3 m;/wp-includes/pomo/streams\.php;i
uri __PDS_LOC_WP_POMO_4 m;/wp-includes/pomo/translations\.php;i
meta PDS_LOC_WP_POMO ((__PDS_LOC_WP_POMO) && (!__PDS_LOC_WP_POMO_1 &&
!__PDS_LOC_WP_POMO_2 && !__PDS_LOC_WP_POMO_3 && !__PDS_LOC_WP_POMO_4))
----8<----
LOC_JOOMLA - can be used similar to the LOC_WP above, with combinations
for SHORT and VSHORT
----8<----
uri __PDS_LOC_JOOMLA
m;/(?:modules/mod_|option=com_|administrator/cache|templates/|components/com_).*(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.eot|\.pdf).{4}$;i
meta PDS_LOC_JOOMLA (__PDS_LOC_JOOMLA && (__KAM_BODY_LENGTH_LT_1024 ||
__HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 ||
__HTML_LENGTH_1536_2048))
----8<----
PDS_SUBJECT_REPEAT - Weird thing I've seen with some spam where the
subject is repeated on the line below, such as:
Subject: Re: Test email
Re: Test email
----8<----
header PDS_SUBJECT_REPEAT ALL =~ /\nSubject:\s+([^\n]+\n)(\1)/
score PDS_SUBJECT_REPEAT 8.0
----8<----
Any feedback on these? What are the thoughts on rules like the
additional WP_ ones? I'd see the progressively shorter ones scoring
higher (in theory, anyway)
Paul
--
Paul Stead
Systems Engineer
Zen Internet
