On Thu, 2009-06-18 at 18:01 -0400, MySQL Student wrote:

> I'm also having a problem with one of my rules:
> 
> [32692] info: config: invalid expression for rule LOCAL_XPS: "Subject
> =~ /Free\ DELL\ XPS/i": syntax error
> 
> Here is the full rule:
> 
> meta       LOCAL_XPS            Subject =~ /Free\ DELL\ XPS/i

That's not a meta rule.  It's a header rule.
> score      LOCAL_XPS            1.5
> describe   LOCAL_XPS            Rule by AS: XPS Dell
> 
> Do I need the backslashes to escape the spaces?

no, although \s would be fine.

>  Will that match that pattern anywhere on the line,

yes

>  or only
> that text on the line?
> 
> Can you explain to me the meaning of '(.+)' as in:

You are trying to DOS your system by matching any number of
characters...
> header LOCAL_RULE1      Subject =~ /(.+)Spam\ Sample(.+)/i

this can be much more effectively written as:
/.spam\ssample./i

That will match the words "spam sample" in the subject as long as there
is at least 1 character before and one after. 

> score LOCAL_RULE1       5.0
> describe LOCAL_RULE1    Subject Spam Sample
> 
> How about without the parens?
even better.  You can use parens for alteration.

See perldoc perlretut for more hints on regular expressions.


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to