On Jun 25, 2014, at 3:47 PM, John Hardin <jhar...@impsec.org> wrote:
> On Wed, 25 Jun 2014, Philip Prindeville wrote:
>
>> Including 6 distinct UUID’s would seem to be useful. Including the same
>> UUID 6 times seems broken.
>>
>> Perhaps a pattern like:
>>
>> body /((;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})){4,}/
>>
>> would be… no, wait… we’d need to save the first one, and then check for 3 or
>> more recurrences of the exact same literal string.
>>
>> rawbody L_REPEATING_UUIDS /<a href="\#"
>> .*(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}){4,}>/i
>> describe L_REPEATING_UUIDS Seeing the same tracking info repeated
>> score L_REPEATING_UUIDS 0.1
>
> That still doesn't hit *only* the same GUID repeated. Try this:
>
> rawbody L_REPEATING_UUIDS /<a href="\#"
> [^\s>]+(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})\1\1\1/i
>
Sorry, that got dropped along the way. I had tested:
rawbody L_REPEATING_UUIDS /<a href="\#"
.*(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})(\1){4,}>/i
and indeed that works correctly.
