On 11/9/2014 11:07 AM, David B Funk wrote:
On Sun, 9 Nov 2014, David B Funk wrote:
For NUMERIC_HTTP_ADDR the rule is: /^https?\:\/\/\d{7}/is
If that pattern were terminated like:
/^https?\:\/\/\d{7}(?::\d+)?(?:\/|$)/is
it should prevent the FPs (hopefully with out destroying its
effectiveness)
Oops, for that new formulation it would actually need to be:
/^https?\:\/\/\d{7,10}(?::\d+)?(?:\/|$)/is
This rule is currently scored very low:
score NUMERIC_HTTP_ADDR 0.000 0.001 0.001 1.242
Can you give an example of a real legitimate domain that is being
falsely marked by this? Otherwise I wouldn't be too worried because this
rule would have to be in conjunction with a good bit more in order to
get flagged as an FP. Your proposed change is very minimal in terms of
the strings I would expect it to hit on.