Thanks all for the info, the uri check is much better. Joseph you were absolutely correct about it catching too wide. I modified it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL /\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i describe DANGEROUS_URL URL contains executable content score DANGEROUS_URL 7.5 Joseph Brennan Wrote: --On Saturday, February 23, 2008 23:08 -0500 Dave Koontz <[EMAIL PROTECTED]> wrote: > I am still getting some Storm Worm messages that are not being caught, > even with Sane Security / ClamAV. I thought I'd write a rule to score > any URL that has a dot exe, scr or pif extension. However, my rule is > not working. Can someone help advise what is wrong? I want it to pickup > any http or https with those extensions. > > > body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i uri Dangerous_URL /http.{1,200}\.(?:exe|scr|pif)/i I think 'body' excludes html code. You could use 'rawbody' but normally one uses 'uri' to get links. More importantly you need the dot before the {1,200} -- your original matches 1 too 200 'p' characters. Loren Wilton suggested leaving out the 'http.{1,200}'. Note, this would match things like www.scratchy.tld unless you narrow it further. Mimedefang is very good at matching bad file extensions, if you feel like adding that to your system.