John Hardin wrote:
On Wed, 13 May 2009, Ned Slider wrote:
uri LOCAL_URI_HIDDEN_DIR m{https?://.{1,40}/\.\w}
describe LOCAL_URI_HIDDEN_DIR contains hidden directory of form
example.com/.something
the fourth might be indicative of a hacked server with a hidden
phishing directory.
Any comments?
I've been running a hidden-dir rule for a long time; it gets pretty
steady hits on phishes and and I can't recall any FPs. Mine's somewhat
simpler:
uri URI_HIDDEN /\/\../
Note that a directory named "..." would not be caught by your rule.
Nice - Thanks John :-)