Duane Hill wrote:
> There is already a test SA does for a dotted-decimal IP in a URL:
Yeah, I was afraid of false positives by raising the score of that rule.
So I made my own rule that only matches these specific urls (with the
MD5 sum) instead.
Regards,
Michael Schout
y rule that traps them. I have not seen any get through after
this:
body LOCAL_POSTCARD_URL m'http://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
describe LOCAL_POSTCARD_URL Body contains postcard scam url
scoreLOCAL_POSTCARD_URL 3.0
Regards,
Michael Schout