On Jun 26, 2014, at 7:31 PM, John Hardin <jhar...@impsec.org> wrote:
> On Thu, 26 Jun 2014, Philip Prindeville wrote:
>
>> On Jun 25, 2014, at 3:47 PM, John Hardin <jhar...@impsec.org> wrote:
>>
>>> That still doesn't hit *only* the same GUID repeated. Try this:
>>>
>>> rawbody L_REPEATING_UUIDS /<a href="\#"
>>> [^\s>]+(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})\1\1\1/i
>>
>> Sorry, that got dropped along the way. I had tested:
>>
>> rawbody L_REPEATING_UUIDS /<a href="\#"
>> .*(;[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12})(\1){4,}>/i
>>
>> and indeed that works correctly.
>
> OK, that's certainly another valid way to code it.
>
> Note that you do not need parens around the \1. That captures it again, which
> just wastes processing. \1{4,} should work.
>
> Also, .* in a rawbody rule is a **really** bad idea. Note my suggested
> alternative, which won't run wild scanning the entire message.
The [^\s] wouldn’t work because there is space in there…
<A href="#" philipp 2014-06-25
01:20:00;F1B9215E-B1D0-40BC-92D1-F13D501596B7;F1B9215E-B1D0-40BC-92D1-F13D501596B7;F1B9215E-B1D0-40BC-92D1-F13D501596B7;F1B9215E-B1D0-40BC-92D1-F13D501596B7;F1B9215E-B1D0-40BC-92D1-F13D501596B7;F1B9215E-B1D0-40BC-92D1-F13D501596B7><SPAN
style="VISIBILITY: hidden"></SPAN></A>
note the name, non-breaking space, and the timestamp before the UUID’s…
