On Wed, 18 Oct 2006, NFN Smith wrote: > Can anybody who has more experience in this area tell me of potential > problems to this approach?
It sounds terribly inefficient and overly complex. You should probably be using negative lookforward matches. For example, I have an obfuscated-word-rule generator that generates tests like this: # cialis @ 3.0 describe OBFU_WRD_021 obfuscated "cialis" body OBFU_WRD_021 /\b(?!cialis)(?:[c\xA2\xA9\xAB\xC7\xE7]|&\#(?:67|99);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[EMAIL PROTECTED]|\/\\|&a[a-z]+;)(?:[l1i!\|\xCC-\xCF]|(\|_)|&\#(?:76|108);)(?:[i!l1\|\/\xA1\xCC-\xCF\xEC-\xEF]|&i[a-z]+;)(?:[s5z\$\xA6\xA7\xA8]|&\#(?:83|115);)/i score OBFU_WRD_021 3.0 Note the (?!cialis) bit? That means "don't try the rest if it matches "cialis". n.b.: I am refining this tool to include double-letter obfuscation. I'll publish a link when that's done. It's a perl script that works against a word+score file to generate these rules. -- John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com ----------------------------------------------------------------------- 13 days until Halloween
