On Wed, 13 May 2009, Ned Slider wrote:
uri LOCAL_URI_HIDDEN_DIR m{https?://.{1,40}/\.\w}
describe LOCAL_URI_HIDDEN_DIR contains hidden directory of form
example.com/.something
the fourth might be indicative of a hacked server with a hidden
phishing directory.
Any comments?
I've been running a hidden-dir rule for a long time; it gets pretty steady
hits on phishes and and I can't recall any FPs. Mine's somewhat simpler:
uri URI_HIDDEN /\/\../
Note that a directory named "..." would not be caught by your rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Perfect Security and Absolute Safety are unattainable; beware
those who would try to sell them to you, regardless of the cost,
for they are trying to sell you your own slavery.
-----------------------------------------------------------------------
9 days until the 5th anniversary of SpaceshipOne winning the X-prize