Johann Spies wrote: > On Tue, Feb 24, 2009 at 02:51:36PM +0100, Karsten Bräckelmann wrote: >> More seriously, unless you provide raw samples [1], including the >> rules hit on your system, there's probably not much else to say. >> > > You can download them at ftp://g...@ftp.sun.ac.za/pespos.tar.gz . Use > password 'tydelik'.
Hi Johann I have three rules that would have helped you catch some of those (I didn't check all of your examples): # google group URL contains .. uri NN_GOOGLE_GROUP_DD m'www\.google\.com/.*\.\..*/group/'i describe NN_GOOGLE_GROUP_DD Link to a Google group contains '..' score NN_GOOGLE_GROUP_DD 4 # google group url contains question mark uri NN_GOOGLE_GROUP_QM m'google\.com/.*group/[^?]{6,}\?[^?]{6}'i describe NN_GOOGLE_GROUP_QM Highly suspect link to a google group score NN_GOOGLE_GROUP_QM 4 uri __GOOGLEGROUPS_15 m'http://[^.]{15}\.googlegroups\.com'i uri __GOOGLEGROUPS_NUM m'http://[^.]*[0-9][^.]*\.googlegroups\.com'i meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 && __GOOGLEGROUPS_NUM describe NN_GOOGLEGROUPS_15 Contains a suspicious googlegroups URI. score NN_GOOGLEGROUPS_15 2 /Per Jessen, Zürich