Thanks all for the info, the uri check is much better.
Joseph you were absolutely correct about it catching too wide. I modified
it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL /\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URL URL contains executable content
score DANGEROUS_URL 7.5
Joseph Brennan Wrote:
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz <[EMAIL PROTECTED]>
wrote:
> I am still getting some Storm Worm messages that are not being caught,
> even with Sane Security / ClamAV. I thought I'd write a rule to score
> any URL that has a dot exe, scr or pif extension. However, my rule is
> not working. Can someone help advise what is wrong? I want it to pickup
> any http or https with those extensions.
>
>
> body Dangerous_URL /http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL /http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
