On Tue, 2017-01-31 at 11:53 -0800, John Hardin wrote: > On Tue, 31 Jan 2017, Zinski, Steve wrote: > > > Here’s the “view source” of the message in question. > > > > http://pastebin.com/AnwkAf9t > > > > Again, it’s line 88 that I’m trying to match. > > ...let's try this again... > > A uri rule hits that here: > > Jan 31 09:21:07.423 [21842] dbg: rules: ran uri rule __ALL_URI > ======> got hit: "http://trc.spam_domain_redacted.com/redirect.php?em > ail=redac...@uronline.net" > > It also hits an existing rule: > > Jan 31 09:21:07.525 [21842] dbg: rules: ran rawbody rule __BUGGED_IMG > ======> got hit: "<img src="http://trc.spam_domain_redacted.com/redir > ect.php?email=re" > Like John, the text you posted hits one of my private rules when fed through my rule testing and development environment. This is a metarule that fires if a URI subrule finds a PHP script reference OR a BODY subrule finds a PHP script reference preceded and followed by O-32 non- whitespace characters.
So, questions: - how did you capture the text you posted, i.e. is it exactly the same as SA would have seen? - did you restart SA before running each of the tests you describe? Every so often I forget that and then waste time with head scratching until I remember to restart SA. Martin
