On Sat, 3 Feb 2018, Alex wrote:
Hi,
The only "solution" I've ever come up with is to create a meta rule group to
account for the Subject hit:
body __FOO /foo/
header __SUBJ_FOO Subject =~ /foo/
meta FOO __FOO && !__SUBJ_FOO
I have to admit it's annoyed me on occasion that I can't create a single simple
rule that ONLY matches on the message body, but TBH it's never been important
enough in context for me to even commit the above horror.
It seems the the number of times you want to match ONLY the body and not the
body+subject is low enough math this workaround is reasonable.
I mean, you could have a new category bodyonly, or something, but I doubt it's
necessary.
Certainly changing the behavior of body now would be a mistake.
I've also had a problem when trying to write rules that rely on or
otherwise measure the length of the body. A more complicated set of
rules are needed for that, if it's even possible/reliable.
Q'n'D:
header __SUBJ_LENGTH Subject =~ /./
tflags __SUBJ_LENGTH multiple
body __BODY_LENGTH /./
tflags __BODY_LENGTH multiple
Inefficient as hell, but it should work.
Better to use eval:check_body_length() if you can, though.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
After ten years (1998-2008) of draconian gun control in the State
of Massachusetts, the results are in: firearms-related assaults up
78%, firearms-related homicides up 67%, assault-related emergency
room visits up 331%. Gun Control does not reduce violent crime.
-----------------------------------------------------------------------
3 days until the first Falcon Heavy test launch
