On 14.10.11 18:07, dar...@chaosreigns.com wrote:
Existing rule:
rawbody __SPOOFED_URL m/a\s[^]{0,2048}\bhref=(?:3D)?.?(https?:[^'\# ]{8,29}[^'\#
:\/?=])[^]{0,2048}(?:[^]{0,1024}(?!\/a)[^]{1,1024}){0,99}\s{0,10}(?!\1)https?[^\w]{1,3}[^]{5}/i
How about this, to only check for a changed
On 10/18, Matus UHLAR - fantomas wrote:
Very nice, however due to these and other circumstances mentioned I
think that a plugin would be better, since it could define where to
Thanks. It didn't work out, the results were worse than the older rule:
On 10/14, dar...@chaosreigns.com wrote:
rawbody __SPOOFED_URL
m/a\s[^]{0,2048}\bhref=(?:3D)?.?(https?:[^'\# ]{8,29}[^'\#
:\/?=])[^]{0,2048}(?:[^]{0,1024}(?!\/a)[^]{1,1024}){0,99}\s{0,10}(?!\1)https?[^\w]{1,3}[^]{5}/i
I agree it seems like we should be able to improve it. Maybe make
Existing rule:
rawbody __SPOOFED_URL m/a\s[^]{0,2048}\bhref=(?:3D)?.?(https?:[^'\#
]{8,29}[^'\#
:\/?=])[^]{0,2048}(?:[^]{0,1024}(?!\/a)[^]{1,1024}){0,99}\s{0,10}(?!\1)https?[^\w]{1,3}[^]{5}/i
How about this, to only check for a changed domain part instead?
rawbody SPOOFED_URL_DOMAIN
and what about when there is no anchor text in the link ? eg. paypal
image button
2011/10/14 dar...@chaosreigns.com:
Existing rule:
rawbody __SPOOFED_URL m/a\s[^]{0,2048}\bhref=(?:3D)?.?(https?:[^'\#
]{8,29}[^'\#
None of these rules will hit that. That's what the second http is for.
Hit the host name part of the href value of an anchor tag, then do *not*
match the same host name in the value part of the anchor, then hit 'href'.
I should've called it SPOOFED_URL_HOST, because this one is matching the
full
you should be able to check against img src content, right?
2011/10/14 Christian Grunfeld christian.grunf...@gmail.com:
and what about when there is no anchor text in the link ? eg. paypal
image button
2011/10/14 dar...@chaosreigns.com:
Existing rule:
rawbody __SPOOFED_URL
Not relevant to the subject. We're talking about where somebody is
maliciously making you think you're clicking on www.youtube.com when in
fact you're clicking on www.ILikeSpam.com.
Somebody linking to one domain with an image hosted on another domain has
plenty of possibility to be legit.
You