Hello Matt, Tuesday, April 12, 2005, 12:08:01 PM, you wrote:
MT> On Tuesday, April 12, 2005 @ 11:42:37 AM [-0700], Chris Conn wrote: >> Hello, >> I believe I asked for this a few days ago and was told that I would need >> to write a plugin to do this =) MT> Hmmm...shouldn't have to. I know the basic layout of what it should MT> look like, I just suck at regex. It should be similar to below... MT> body CHECK_1 (SOME REGEX I DON'T KNOW1) MT> body CHECK_2 (SOME REGEX I DON'T KNOW2) MT> body CHECK_3 (SOME REGEX I DON'T KNOW3) MT> meta LOCAL_MULTIPLE_TESTS (( CHECK_1 + CHECK_2 + CHECK_3) > 3) MT> score LOCAL_MULTIPLE_TESTS 10 MT> Am I close? Close. But you can't get >3 in three rules. The question is how intelligent do you want to make the rule(s). If you want something like body L_PIPE m'\w\w\|\w\w' body L_ZER0 m'\w\w0\w\w' body L_VEEE m'\\/\w' body L_AAAA m'\w/\\\w' body L_LONE m'\w\w1\w\w' meta L_OBFU2 L_PIPE + L_ZERO + L_VEEE + L_AAAA + L_LONE > 1 That's easy. But it might be dangerous. I'm working on a SARE rule set to test safely for these types of obfuscations. Should be done and ready for distribution by end of month. Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED], and I'|| f1nd a 600D horme 4 them... (Not the entire spam emails, please -- just the obfuscations.) Bob Menschel
