Nice Loren.... nowadays with uri_detail this is easily solved with something like uri_detail HTTPS_HTTP_MISMATCH text =~ /^https:\/\//i cleaned =~ /^http:\/\//iscore HTTPS_HTTP_MISMATCH 0.5describe HTTPS_HTTP_MISMATCH URL claims to use SSL but it does not
---------Pedro >On Wednesday, July 15, 2020, 02:20:34 AM GMT+2, Loren Wilton <lwil...@earthlink.net> wrote: > I'm looking to detect a mismatch between the domain in the href > property of a URI and a domain in the anchor text itself. >Not using > lookbehind, but I long ago wrote these two rules to look for similar > situations. Either could be modified fairly easily to do what you want. >Note: these are probably around 10 years old, written before there were URI >rules (if I remember correctly) so there may be more efficient ways to do >these these days. Loren >#check for attempting to phish >rawbody __LW_PHISH_2 >m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is >full __LW_PHISH_2a >m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is >meta LW_PHISH_2 __LW_PHISH_2 || __LW_PHISH_2a >score LW_PHISH_2 50 >describe LW_PHISH_2 numeric href with https description >#score __LW_PHISH_2 1 >#score __LW_PHISH_2a 1 >rawbody __LW_PHISH_3 /<a\s+[\s\w=\.]*href=\"http:[^>]+>https:/is >full __LW_PHISH_3a /<a\s+[\s\w=\.]*href=\"http:[^>]+>https:/is >meta LW_PHISH_3 __LW_PHISH_3 || __LW_PHISH_3a >score LW_PHISH_3 50 >describe LW_PHISH_3 secure description with insecure link >#score __LW_PHISH_3 10 >#score __LW_PHISH_3a 1