[Fix] Remove or fix hyperscan incompatible regexps

diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index 69e77742ff5229cae280dffca1361e9fa77cc68a..e5e6e6aec52595d003191f572b6fbf7ff46fbcb2 100644 (file)
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -97,7 +97,7 @@ reconf['HAS_WP_URI'] = {
 }
 
 reconf['WP_COMPROMISED'] = {
-  re = '/\\/wp-(?!content|includes)[^\\/]+\\//Ui',
+  re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui',
   description = "URL that is pointing to a compromised WordPress installation",
   score = 5.0,
   group = "compromised_hosts"

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index 71116ebe59f373054e18c14531882e36fa5c30fc..9c47eaeefcfb33913bc65009d8009e9538f1aec6 100644 (file)
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -778,13 +778,6 @@ reconf['FORGED_GENERIC_RECEIVED4'] = {
   group = 'header'
 }
 
-reconf['FORGED_GENERIC_RECEIVED5'] = {
-  re = 'Received=/\\s*from \\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\].*\\n(.+\\n)*\\s*from \\1 by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0$/X',
-  score = 4.6,
-  description = 'Forged generic Received',
-  group = 'header'
-}
-
 reconf['INVALID_POSTFIX_RECEIVED'] = {
   re = 'Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X',
   score = 3.0,
@@ -875,7 +868,7 @@ reconf['SUBJECT_HAS_QUESTION'] = {
 }
 
 reconf['SUBJECT_HAS_CURRENCY'] = {
-  re = 'Subject=/$€$¢¥₽/H',
+  re = 'Subject=/[$€$¢¥₽]/Hu',
   description = 'Subject contains currency',
   score = 1.0,
   group = 'headers'