On 09/03/06 11:24 AM, Dallas L. Engelken wrote:
For example, in order to determine if there is an inline gif (recent
stock spam), we have to use a full rule currently. Which as we know can
be very inefficient.
full SARE_GIF_ATTACH /name=\"[a-z]{3,18}\.gif\"/
What I really want is to do this evaluation on the entire mime info
minus the content found within that mime part. Something like
mimeheader SARE_GIF_ATTACH /name=\"[a-z]{3,18}\.gif\"/
<snip other MIME data>
------=_NextPart_001_0008_01C63B0B.69D62A00--
------=_NextPart_000_0007_01C63B0B.69D62A00
Content-Type: image/gif;
name="tkvsumcgojm.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
------=_NextPart_000_0007_01C63B0B.69D62A00--
I think either changing the full rule type to do the above, or adding a
new rule type that contains this data would be a great thing for rule
writers! And much more efficient.
Cya,
Dallas
I never tried using the MIMEHeader plugin, but I believe it'll allow you
to implement your example, looking for a GIF filename. It doesn't provide
I've never tried using the MIMEHeader plugin and haven't looked at its
code, but I believe it'll allow you to implement your example, looking
for a GIF filename. It doesn't provide the entire MIME data in one
chunk but it does allow you to match against a MIME header.
This might do what you want (at least in the example case):
mimeheader SARE_GIF_ATTACH Content-Type =~ /name=\"[a-z]{3,18}\.gif\"/
Daryl
