On Sat, 25 Oct 2014, Martin Gregorie wrote:
Less obviously, it doesn't seem to matter whether you write the rule
as /\.link\b/ or /\.link$/ - both give identical matches. Both match
the following regexes just as you'd expect:
http://www.linkedin.com/home/user/data.link
http://www.example.link
but, less obviously, both also match this:
http://www.example.link/path/to/file.txt
{boggle}
...but
"grep -P '\.link\b'" matches it, but
"grep -P '\.link$'" does not.
I presume that this means that the uri rule tests against two strings:
one being just the domain name and the other being the whole URI and
declares a rule hit if either string matches.
I don't think so, but I'm not positive.
If you have a testing environment set up, try adding this and see what you
get in the log:
uri __ALL_URI /.*/
Looking at my last test run I see only hits on the full URL, not hits on
the full URL plus hits on only the domain name.
SA still might be doing a double-test in the bowels of the uri rule code
and not reporting it separately, but I think that's somewhat unlikely.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
News flash: Lowest Common Denominator down 50 points
-----------------------------------------------------------------------
876 days since the first successful private support mission to ISS (SpaceX)
