On Mon, 2009-06-22 at 13:15 +0300, Jari Fredriksson wrote: > >> Am 2009-06-22 10:52:54, schrieb Pawe?? T??cza:
> This seems to compile: > > body AE_MEDS35 /\(\s?w{2,4}\s(meds|shop)\d{1,4}\s(?:net|com|org)\s?\)/ > describe AE_MEDS35 obfuscated domain in message > score AE_MEDS35 3.0 I'd suggest (?:meds|shop) as being slightly faster and more memory efficient. I'm considering a low-scoring rule like: body AE_MEDS37 /\(\s?w{2,4}\s[:alpha:]{4}\d{1,4}\s(?:net|com|org)\s?\)/ describe AE_MEDS37 rule to catch the next wave of spaced domains score AE_MEDS37 1.0 Maybe a meta rule with SARE_ADULT... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
signature.asc
Description: This is a digitally signed message part