On Wed, 28 May 2014, Ian Zimmerman wrote:
On Wed, 28 May 2014 10:47:35 -0700 (PDT)
John Hardin <jhar...@impsec.org> wrote:
John> The only place I've found backreferences useful is when writing a
John> header rule that is looking for the same string in multiple
John> headers.
John> Other than that, captures are very rare.
There was a pattern in the recent campaigns where backreferences would
be perfect. So far I have been busy trying other approaches but I may
come back to that.
Example at
http://pastebin.com/KUJAWdHq
There's already a rule for that, look for HEXHASH_WORD.
Focusing on repetition of the *same* hex string narrows it too much, it's
too easy to defeat by generating a new random string for every insertion.
You'll notice that one uses two different strings; making every one
different is an obvious improvement.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"They will be slaughtered as result of England's anti-gun laws
that concentrates power to the Government."
-- Shifty Powers (101 abn) observing British
subjects training to repel a German invasion
using rakes, hoes and pitchforks
-----------------------------------------------------------------------
9 days until the 70th anniversary of D-Day
