Re: Need rule to catch lots of font changes

Wed, 17 Apr 2013 09:02:32 -0700 

Hi there,

just write a single detection rule for FONT face= (rawbody or
uri_detail) and use tflag multiple.

Then meta this with a counter.

eg:
rawbody  __BLAH  /<FONT face=/
tflags  __BLAH  multiple maxhits=21
meta  MULTPL_FONTS  __BLAH > 20
score  MULTPL_FONTS  5.0
describe MULTPL_FONTS  At least 20 FONT tags found

Best regards,

Alex, from prypiat.
Yes, I recycle.


On 13-04-14 08:46 PM, Marc Perkel wrote:
> Anyone want to write a rule to catch this? Lots of font and color
> changes.
>
> <FONT face="Courier New" size="2" color="#e8f8f6">
> <p>treatment for the summer holidays.</p>
> <p><a href="http://jmb.tw/16xul";>Achieve all your goals and this video
> will
> help you.</a></p>
> <p><FONT face="Charcoal, sans-serif" size="+1" color="#e4f4f2">One</FONT>
> <FONT face="Impact, Times New Roman" size="+2" color="#e4fcf9">day</FONT>
> <FONT face="Palatino Linotype, Palatino, serif" size="-1"
> color="#e0fffb">a</FONT> <FONT face="Lucida Console, Times New Roman"
> size="+2" color="#e8fffc">younger</FONT> <FONT face="Impact, Times New
> Roman" size="-1" color="#e4fbf8">colleague,</FONT> <FONT face="Tahoma,
> Geneva, sans-serif" size="-3" color="#f0fffd">one</FONT> <FONT
> face="Courier, monospace"
> size="5" color="#ecfbf9">of</FONT> <FONT face="Comic Sans MS, cursive"
> size="3" color="#e0fefa">my</FONT> <FONT face="Book Antiqua, Times New
> Roman" size="-1" color="#e8fefb">most <FONT face="Arial" size="+2"
> color="#e0fdf9">intimate</FONT></p>
> <p><FONT face="Comic Sans MS, Times New Roman" size="+2"
> color="#f8fffe">friends,</FONT> <FONT face="Tahoma, Geneva, sans-serif"
> size="-3" color="#f6fdfc">who</FONT> <FONT face="Courier New, Courier,
> monospace" size="3" color="#f4fbfa">had</FONT> <FONT face="Lucida
> Console,
> Monaco, monospace" size="+2" color="#f2f9f8">visited</FONT> <FONT
> face="Arial, Helvetica, sans-serif" size="1" color="#f0fefc">the</FONT>
> <FONT face="Courier New" size="5" color="#ecfaf8">patient-</FONT> <FONT
> face="Century Gothic, Times New Roman"
> size="1" color="#e8f6f4">Irma-</FONT> <FONT face="Impact, Arial" size="1"
> color="#e4f2f0">and</FONT> <FONT face="Lucida Console, Monaco, monospace"
> size="-2" color="#e8fdfa">her</p>
> <p><FONT face="Comic Sans MS, Arial" size="1" color="#e4f9f6"></FONT>
> </p>
> </FONT>
>
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to