Hi, On Mon, May 12, 2014 at 7:08 PM, Karsten Bräckelmann <[email protected] > wrote:
> On Mon, 2014-05-12 at 13:46 -0400, Alex wrote: > > On Sun, May 11, 2014 at 9:32 PM, Karsten Bräckelmann < > [email protected]> wrote: > > > > This is supposed to be a rawbody rule. I know, because I've discussed > > > and partly developed the rule(set) in question with you before, back in > > > Oct 2013. And the RB prefix is a hint as well. ;) > > > > > > http://markmail.org/message/ebrm6snglxipj6wx > > > > Oh, I remember this thread very well. I referenced your helping me > > with it in the beginning of this post. > > You mentioned KAM. ;) > Heh, my apologies. > > It wasn't a case of not understanding the difference between body and > > rawbody, at least. I plan to experiment further with the body version > > you've just created, and see if there's usefulness with that in other > > cases. > > While potentially useful in other cases, it is required to make your > rule apply as intended to the sample provided. > You mean 'it' is rawbody here, right? I've changed it, and it's much better. I do see other cases where body would be more effective, so I'd like to work on that as a separate rule too. > The actual text sure is less than 200 chars, but with the amount of HTML > markup, the rawbody payload doesn't count as short and easily exceeds > the 200 char threshold. With the __RB_GT_200 sub-rule fixed to a rawbody > rule, the overall rule LOC_SHORT will not match the sample. > Yes, I think you're just summarizing what we've already discussed here, and I really appreciate your help. Thanks, Alex > > > -- > char *t="\10pse\0r\0dtu\0.@ghno > \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? > c<<=1: > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; > }}} > >
