Re: URL rule creation question
\s is the proper way to represent whitespace. lol, yes, I know that; I was actually trying to match 's' and the slash is the start of the pattern match. I wasn't referring to the beginning of the RE. Yeah, I realized that just after I sent this, if anyone cares :-) Thanks again, Alex
Re: URL rule creation question
On 10.09.09 18:28, MySQL Student wrote: I've seen this pattern in spam quite a bit lately: href=http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO what kind of URL/service is this? Isn't it worth to block this at all? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: URL rule creation question
On Fri, 2009-09-11 at 14:37 +0200, Matus UHLAR - fantomas wrote: On 10.09.09 18:28, MySQL Student wrote: I've seen this pattern in spam quite a bit lately: href=http://EXAMPLE.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO what kind of URL/service is this? Isn't it worth to block this at all? The 'doubleheadedrover' domain currently shows up in Razor(E8), uribl_black, surbl_jp, and invaluement. But it wasn't in all of those when he first started posting about it. So he is looking for a way of identifying bad urls by examining the path portion rather than the domain -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: URL rule creation question
Hi, The 'doubleheadedrover' domain currently shows up in Razor(E8), uribl_black, surbl_jp, and invaluement. But it wasn't in all of those when he first started posting about it. Yes, that's correct. Thanks for your help. That's already caught a few. I have another that I thought you could help with. I'd like to create a rule that matches a specific letter and up to 5 spaces after it, repeated ten times. I'm thinking something like this: /s\ {5}o\ {5}n\ {5}i\ {5}c\ {5}\ m\ {5}e\ {5}d\ {5}i\ {5}a/i I'm still learning regex's, so hopefully this isn't too far off. The opportunities for rules are coming faster than my ability to learn. Thanks, Alex
Re: URL rule creation question
On Fri, 2009-09-11 at 15:09 -0400, Alex wrote: I'd like to create a rule that matches a specific letter and up to 5 spaces after it, repeated ten times. I'm thinking something like this: /s\ {5}o\ {5}n\ {5}i\ {5}c\ {5}\ m\ {5}e\ {5}d\ {5}i\ {5}a/i A space does not have any special meaning in REs. Don't escape it. The quantifier {5} means *exactly* 5 occurrences. What you are after is the {n,m} quantifier with an lower n and (optional) upper m bound. Thus, to match at least one, and up to 5 occurrences: {1,5} I'm still learning regex's, so hopefully this isn't too far off. The opportunities for rules are coming faster than my ability to learn. http://perldoc.perl.org/perlre.html The reference. In particular, also do have a look at the perlrequick Introduction and perlretut Tutorial referenced early in the Description section. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: URL rule creation question
On Fri, 2009-09-11 at 12:43 -0700, John Hardin wrote: \s is the proper way to represent whitespace. True. However, in all rule types that use rendered text, there is only a space -- no tabs. Well, there are newlines, but that doesn't matter unless you use special modifiers. ;) Actually, this reminds me -- if Alex is writing his rule as a body rule, the text parts are rendered and normalized. This effectively means any number of consecutive whitespace (within a paragraph) will be condensed to a single space. Thus /a b/ and /a {1,5}b/ become identical. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: URL rule creation question
On Fri, 2009-09-11 at 15:09 -0400, MySQL Student wrote: Hi, The 'doubleheadedrover' domain currently shows up in Razor(E8), uribl_black, surbl_jp, and invaluement. But it wasn't in all of those when he first started posting about it. Yes, that's correct. Thanks for your help. That's already caught a few. I have another that I thought you could help with. I'd like to create a rule that matches a specific letter and up to 5 spaces after it, repeated ten times. unless you are using rawbody rules, multiple spaces are collapsed to single spaces on the regularized body that rules are run against -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: URL rule creation question
McDonald, Dan wrote: From: Matt Kettler [mailto:mkettler...@verizon.net] This rule should detect 10 consecutive occurrences. uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10} Warning: I wrote this quickly without too much thought. It may have bugs, but I'm short on time at the moment. your variant would require two periods in a row between each pair. So it would... Hence the warning :)
URL rule creation question
Hi all, I've seen this pattern in spam quite a bit lately: href=http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO Would it be reasonable to create a rule that looks for this two-char then dot pattern, or is it reasonable that it might appear in a legitimate email too frequently? If possible, how would you create a rule to capture this? Thanks, Alex
Re: URL rule creation question
MySQL Student wrote: Hi all, I've seen this pattern in spam quite a bit lately: snip - URI that verizon won't let me send Would it be reasonable to create a rule that looks for this two-char then dot pattern, or is it reasonable that it might appear in a legitimate email too frequently? If possible, how would you create a rule to capture this? This rule should detect 10 consecutive occurrences. uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10} I do think that 4-in-a-row might be pretty common (ie: IP addresses), but 10 in a row seems unlikely. Warning: I wrote this quickly without too much thought. It may have bugs, but I'm short on time at the moment.
Re: URL rule creation question
On Thu, 2009-09-10 at 18:28 -0400, MySQL Student wrote: Hi all, I've seen this pattern in spam quite a bit lately: href=http://doubleheaderover.com/jazert/html/?39.6d.3d.31.66.67.6b.79.77.63.77.63.65.6e.74.69.6e.6e.69 .61.6c.5f.68.31.33.33.2e.6f.39.39.41.4d.2e.30.30.45.33.39.2e.30.32.30.61.64.6b.37.61.76.61.67.63.31.66. 62.2e.6a.61.7a.65.72.74.2e.68.74.6d.6c3az8fO Would it be reasonable to create a rule that looks for this two-char then dot pattern, or is it reasonable that it might appear in a legitimate email too frequently? If possible, how would you create a rule to capture this? uri URI_HEX_DOTTED /(?:[[:xdigit:]]{2}\.){10}/ That would look for 10 two-digit hex numbers separated by periods in a url. Figure if you have at least 10 of them, its probably a match... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
RE: URL rule creation question
From: Matt Kettler [mailto:mkettler...@verizon.net] This rule should detect 10 consecutive occurrences. uri L_URI_FUNNYDOTS /(?:\.[a-z,0-9]{2}\.){10} Warning: I wrote this quickly without too much thought. It may have bugs, but I'm short on time at the moment. your variant would require two periods in a row between each pair.