>It's quite hard to read all in one string. Perhaps use a file >interface like other sections where you can have lots of items in a >list.
It is possible to use file:files/yourfilename like in any other regex base config like bombRe Thomas James Brown <[email protected]> 06.06.2009 04:31 Bitte antworten an ASSP development mailing list <[email protected]> An ASSP development mailing list <[email protected]> Kopie Thema Re: [Assp-test] Antwort: Re: Antwort: ClamAV - set scoring/reject based on virus database FP risk On 06/06/2009, at 1:59 AM, Thomas Eckardt/eck wrote: > The name of the virus is > > 'Sanesecurity.Jurlbl.Auto.16581.UNOFFICIAL' > > but there is no matching regex > > Sanesecurity\.Jurlbl\.Auto\.x=>1.6 > Sanesecurity\.Jurlbl\.x=>2.6 > > the trailing 'x' will the regex prevent from matching > (a trailing 'i' is in > (Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?) > \.i=>4.6 ) > ??? > > I think the regexes should be: > > Sanesecurity\.Jurlbl\.Auto\.=>1.6 > Sanesecurity\.Jurlbl\.=>2.6 > (Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?) > \.=>4.6 > > But your regex would not work in the current versions, because there > are > '|' inside the regexes. > The complete regex will work to find a 'SuspiciousVirus' , but to > get the > weight, we need to separate the regex in its parts. Currently this > is done > by looking for '|' - but this will not work with your regex as you can > see. > > while ($new =~ s/([^\|]+)?\s*\=\>\s*(-{0,1}\d+\.*\d*)\s*/$1/) { > > You should see this in the log while starting > > ... > Info: SuspiciousVirus : regex Sanesecurity\.Jurlbl\.Auto\.x - weight > set to 2.6 > ... > > some of your definitions should be not or wrong listed. > > I think the following part is hard to find: > (Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?) > \.i=>4.6 > and if someone wants it to do, the regexes parts could be very > complex - > much more than this one. > I hope I've found a way to separate weighted regexes : a weighted > regex > has to begin and end with a '~' followed by '=>' and the weight > value: > > ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?) > \.i~=>4.6 > > and > > while ($new =~ s/\~([^\~]+)?\~\s*\=\>\s*(-{0,1}\d+\.*\d*)\s*/ > $1/) > { > > hoping a '~' will be never be searched in a weighted regex. > > I'll implement it this way in 2.0.1_RC0.2.08 . > > Fields marked with an additional asterisk (**) accept a second weight > value. Every weighted regex has to begin and end with a '~' > followed by > '=>' and the weight value. For example: ~spammer~=>1.45 or > ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?) > \.i~=>4.6 > . The character '~' has to be never used inside a weighted regular > expression. The multiplication result of the weight and the penaltybox > valence value will be used for scoring, if the absolute value of > weight is > less or equal 6. Otherwise the value of weight is used for > scoring.<br /> > > > Thomas Wow, thanks Thomas. I've upgraded to 2.08 and this is my regex now: ~Phishing\.~=>4.6~Email.Spam\d{1,4}-SecuriteInfo~=>4.1~(Email|HTML| Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?) \.~=>4.6~Sanesecurity\.(Hdr|Img|ImgO|Junk|Doc|Casino) \.~=>6.1~Sanesecurity\.(Lott|Fake|SpamImg|Job|Stk)\.~=>6.1~Sanesecurity \.(Loan|Porn|Bou|Dipl|Cred)\.~=>6.1~Sanesecurity\.Jurlbl\.Auto \.~=>2.6~Sanesecurity\.Jurlbl\.~=>2.6~winnow\.phish\.~=>6.1~winnow \.spam\.~=>2.1~INetMsg\.SpamDomain-2w\.~=>2.0~INetMsg\.~=>1.0~(MSRBL- Images\.)~=>2.1~(MSRBL-SPAM \.)~=>5.1~Safebrowsing~=>1.25~Heuristics~=>1.25 It's quite hard to read all in one string. Perhaps use a file interface like other sections where you can have lots of items in a list. That would allow people to use '~' in a regex too. Anyway, I'll see how it goes. Thanks again, James. ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
