-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One problem is that we've already added something for those mails in 3.1.0 --
but from the other direction ;)
Namely, Theo wrote a plugin which allows rules to be written which
are then translated into more complex rules, that match the variety
of obfuscations observed. The two modes kind of clash... but
we should compare one against the other.
FWIW, I quite like the idea of massively normalising as you do there --
lowercasing, dropping spaces, etc. I can see one problem with doing it
that way though. If you approach it from the normalization angle, there
are issues with some kinds of obfuscation, e.g. the ones where a char in a
string has been replaced by multiple chars:
the quick brown fox jumped
the quick brow|\| fox jumped
coming from the other angle, by munging the rule strings, you *can*
match that.
anyway, I'll let Theo comment...
- --j.
Loren Wilton writes:
> RFC: Normalized text ruletypeWow, neat! I've been looking at something like
> this for quite some time.
>
> Adding in pipes and some of the other characters known to be used for
> obfuscations could well drastically increase your hit ratios, they
> are really common.
>
> I think this is quite possibly a good start on a new rule type.
>
> Loren
>
> ------=_NextPart_000_05C8_01C57697.BB8EE2D0
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD><TITLE>RFC: Normalized text ruletype</TITLE>
> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
> <META content="MSHTML 6.00.2800.1505" name=GENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=#ffffff>
> <DIV><FONT size=2>Wow, neat! I've been looking at something like this
> for
> quite some time.</FONT></DIV>
> <DIV><FONT size=2></FONT> </DIV>
> <DIV><FONT size=2>Adding in pipes and some of the other characters known to
> be
> used for obfuscations could well drastically increase your hit ratios, they
> are
> really common.</FONT></DIV>
> <DIV><FONT size=2></FONT> </DIV>
> <DIV><FONT size=2>I think this is quite possibly a good start on a new rule
> type.</FONT></DIV>
> <DIV><FONT size=2></FONT> </DIV>
> <DIV><FONT size=2> Loren</FONT></DIV>
> <DIV> </DIV></BODY></HTML>
>
> ------=_NextPart_000_05C8_01C57697.BB8EE2D0--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFCuNNWMJF5cimLx9ARAhIXAJ9JdpBxQDWyc8AxRsXHkr9z6Db3lQCfRjhb
7+t77dN8g1uaS0n+lJSqwz8=
=QeQ0
-----END PGP SIGNATURE-----
