--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz <[EMAIL PROTECTED]>
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to pickup
any http or https with those extensions.
body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL /http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Joseph Brennan
Columbia University Information Technology
