On Fri, 13 Apr 2018, John Hardin wrote:
On Fri, 13 Apr 2018, Giovanni Bechis wrote:
Advertising
On 04/13/18 09:06, Sebastian Arcus wrote:
Hello all. I am getting some fp's with emails from QuickBooks / Intuit
with the above rule:
Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ======>
got hit: "https://myturbotax.intuit.com";
On a slightly different note, and mainly for my curiosity to understand SA
rules syntax, in 72_active.cf, the score seems to be commented out:
#score URI_TRY_3LD 2.000 # limit
But when it hits, it still adds 2.0 to the score (and I haven't customized
the score anywhere else). Is this a special form of SA syntax?
the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with
tflags publish.
Giovanni
When a "score" line is present in a sandbox, that means the masscheck score
assignment process will limit the score it calculates to that.
If it's commented out or not present, then the masscheck process can assign
however high a score it likes based on the rule's performance against the
masscheck corpora.
I'll take a look at that rule, I don't remember offhand what I intended it
for.
It's fairly broad, intended to hit things like "tryviagra.mumble.com".
It's hitting on the "my" prefix on the hostname. I'll add an exclusion.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
How do you argue with people to whom math is an opinion? -- Unknown
-----------------------------------------------------------------------
Today: Thomas Jefferson's 275th Birthday
