On Mon, Oct 27, 2014 at 4:55 PM, John Hardin <jhar...@impsec.org> wrote:
> On Mon, 27 Oct 2014, francis picabia wrote: > > uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i >>>>> >>>> >> However another spoofed message was received today and the rule >> did not capture it. >> >> If I want to detect something in the form of: >> random_server.example.com.junk >> I need to wildcard the first bit. Would that be: >> >> uri URI_EXAMPLE_EXTRA m;^https?://(?:.*\.)?example\.com[^/?];i >> >> I don't understand what the question mark and colon does inside the ( ) >> I thought it followed an optional char or expression. Should it be >> like this? >> >> uri URI_EXAMPLE_EXTRA m;^https?://(.*\.)?example\.com[^/?];i >> > > (?:) means "group, don't remember the match". () remembers what's matched > for future use in the RE (e.g. to check for repeated strings like > "abcabcabcabc". > > Try this: > > uri URI_EXAMPLE_EXTRA m;^https?://(?:[^./]+\.)*example\.com[^/?];i > > Once again, thanks for the RE coding. I found a false positive it captured with my attempt at this : <a href=" http://www.newslettersite.com/redirectnewsletter_login.asp?URL=http://www.secondsite.com/PYB/contact_us.asp&loginemail=u...@example.com&logincode=123456&utm_source=Articles_Air_01112014&utm_medium=email&utm_campaign=newsletter&utm_content=contactus " I've tested your rule with that and it does not tag for the above. Great. Hopefully useful to others facing domain spoofs in phishing.
