On Jun 25, 2014, at 3:47 PM, John Hardin <jhar...@impsec.org> wrote:
> On Wed, 25 Jun 2014, Philip Prindeville wrote: > >> Including 6 distinct UUID’s would seem to be useful. Including the same >> UUID 6 times seems broken. >> >> Perhaps a pattern like: >> >> body /((;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})){4,}/ >> >> would be… no, wait… we’d need to save the first one, and then check for 3 or >> more recurrences of the exact same literal string. >> >> rawbody L_REPEATING_UUIDS /<a href="\#" >> .*(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}){4,}>/i >> describe L_REPEATING_UUIDS Seeing the same tracking info repeated >> score L_REPEATING_UUIDS 0.1 > > That still doesn't hit *only* the same GUID repeated. Try this: > > rawbody L_REPEATING_UUIDS /<a href="\#" > [^\s>]+(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})\1\1\1/i > Sorry, that got dropped along the way. I had tested: rawbody L_REPEATING_UUIDS /<a href="\#" .*(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})(\1){4,}>/i and indeed that works correctly.