Karsten Bräckelmann skrev den 2013-07-11 04:57:
I left that out deliberately, because it is >= 3.4 IIRC, not 3.3. And
with a rather limited string like ALL, headers only, it hardly is
worth
the additional maxhit test for each match anyway.
maxhits is a chicken and egg problem on its own, pcre will be wasted
before we can limit with maxhits, or is there some magic sa use to limit
pcre ?
and i have head attache with abcde.html 5 chars matching in urls
like
http://example.org/abcde.html
all i tryed fails
Sorry, I don't get what you're about. "5 chars matching", URL?
yep failing rule creating in another problem i like to create a rule
for, random url domains with exactly 5 chars and a dot ending in either
html or htm, now that spammer know i know possible this will stop :)
rawbody 5STARS /[a-z]{5}\.(html|htm)/i
not ok ?
One time? The OP from Andreas states the following:
Are there SA Rules to score a missing or multiple from header?
yep, what i had was rules for From: in 2 header lines, not From: with
multiple senders
What do you mean, not necessary because one time?
multiple From: is long gone, but replaced by multiple senders in one
From: line
That reads zero or more than one time to me.
wish there was more corpus samples from Andreas :)
Which is the exact opposite of what you just wrote. No?
lost in thread now :(
