On Mon, 2009-06-22 at 13:15 +0300, Jari Fredriksson wrote: > >> Am 2009-06-22 10:52:54, schrieb Pawe?? T??cza:
> This seems to compile:
>
> body AE_MEDS35 /\(\s?w{2,4}\s(meds|shop)\d{1,4}\s(?:net|com|org)\s?\)/
> describe AE_MEDS35 obfuscated domain in message
> score AE_MEDS35 3.0
I'd suggest (?:meds|shop) as being slightly faster and more memory
efficient.
I'm considering a low-scoring rule like:
body AE_MEDS37 /\(\s?w{2,4}\s[:alpha:]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS37 rule to catch the next wave of spaced domains
score AE_MEDS37 1.0
Maybe a meta rule with SARE_ADULT...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
