On Thu, 04 Dec 2014 23:40:39 +0100
Axb <axb.li...@gmail.com> wrote:
> uri __URI_COSTCO /costco\.com/i
> uri __URI_PHPASKC /\.php\?c\=/
> meta AXB_URI_COSTCO_JJ (__URI_COSTCO && __URI_PHPASKC)
> score AXB_URI_COSTCO_JJ 10.0
I've seen variants purportedly from Kroger, Target and Best Buy.
We're having good luck with the following:
uri __RP_D_00081_1 /\.php\?(?:dp|k|c|t)=[\/A-Za-z0-9=+]{25}/
header __RP_D_00081_2 Subject =~ /\b(?:order|buying)\b/i
meta RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2
describe RP_D_00081 Link to malware
score RP_D_00081 30
Regards,
David.
