On May 4, 2000 Jon Knight <J.P.Knight@???> wrote:
> if ($message_body matches "^\\s+name=.+.[vV][bB][sS]" or
May I remind everyone that "matches" does a case insensitive match, while
MATCHES does a case sensitive one.
Anyway, what I have now which is not intended to be a fully generic
VBScript detector, but should find varients of the current one with
different subject lines. Varying the subject line is the obvious next
step for the kids, so I'd rather have something in place before the week
end.
if ($message_body matches "name=\"[^\"].*\\\\.txt\\\\.vbs\"" or
$h_subject: IS ILOVEYOU) and $message_size is above 9k
and not error_message then
freeze text "Suspected ILOVEYOU virus"
endif
Now first I would love to do that with few backslashes. But I am also
relying on their being quotes around the filename. Is that safe, or can
this happen with the filename not being quoted? What should a relatively
efficient regex look like if the quotes are only required (but
optional) when there is whitespace in the filename?
Another problem:
I had a test on $message_body_size, but that always failed on a -bF test.
Does that require a real live message to have body size
information? Anyway, I've gone to $message_size instead. That should
eliminate a few false positives.
-j
--
Jeffrey Goldberg +44 (0)1234 750 111 x 2826
Cranfield Computer Centre FAX 751 814
J.Goldberg@??? http://WWW.Cranfield.ac.uk/public/cc/cc047/
Relativism is the triumph of authority over truth, convention over justice.