Johann Spies wrote:
> On Tue, Feb 24, 2009 at 02:51:36PM +0100, Karsten Bräckelmann wrote:
>> More seriously, unless you provide raw samples [1], including the
>> rules hit on your system, there's probably not much else to say.
>>
>
> You can download them at ftp://g...@ftp.sun.ac.za/pespos.tar.gz . Use
> password 'tydelik'.
Hi Johann
I have three rules that would have helped you catch some of those
(I didn't check all of your examples):
# google group URL contains ..
uri NN_GOOGLE_GROUP_DD m'www\.google\.com/.*\.\..*/group/'i
describe NN_GOOGLE_GROUP_DD Link to a Google group contains '..'
score NN_GOOGLE_GROUP_DD 4
# google group url contains question mark
uri NN_GOOGLE_GROUP_QM m'google\.com/.*group/[^?]{6,}\?[^?]{6}'i
describe NN_GOOGLE_GROUP_QM Highly suspect link to a google group
score NN_GOOGLE_GROUP_QM 4
uri __GOOGLEGROUPS_15 m'http://[^.]{15}\.googlegroups\.com'i
uri __GOOGLEGROUPS_NUM m'http://[^.]*[0-9][^.]*\.googlegroups\.com'i
meta NN_GOOGLEGROUPS_15 __GOOGLEGROUPS_15 && __GOOGLEGROUPS_NUM
describe NN_GOOGLEGROUPS_15 Contains a suspicious googlegroups URI.
score NN_GOOGLEGROUPS_15 2
/Per Jessen, Zürich
