On Mon, 20 Feb 2017, Alex wrote:
Hi,
Some time ago I had put together a rule based on comments from this
list, and I've identified a FP that I hoped someone could help me to
correct.
The full domain in the email was http://www.top-1.biz. However, it's
being tagged as if it's "top" as the TLD in one of KAMs rules and one
of mine:
Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule __KAM_TINYDOMAIN
======> got hit: "-1.biz/"
Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule LOC_URI_RARE_TLD
======> got hit: "://www.top"
uri LOC_URI_RARE_TLD
m;://[^/]+\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online)(?:/|\b);i
How can this be corrected to specifically only catch top as a TLD?
Re LOC_URI_RARE_TLD:
It's a URI rule, so anchor the end with (?:/|$) - if it's a bare domain
the TLD will be at the end of the URI. If it's got a path part the domain
will be followed by a slash.
Thanks for bringing that up, fixed here too.
Dunno about __KAM_TINYDOMAIN
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Homeland Security: Specializing in Tactical Band-aids
for Strategic Problems. -- Eric K. in Bruce Schneier's blog
-----------------------------------------------------------------------
2 days until George Washington's 285th Birthday
