[Conf] Add composite for hacked wordpress phishing

diff --git a/conf/composites.conf b/conf/composites.conf
index 288b08d5884df49afa1121286e2426a0ab1557e3..9565ae4894054848662b43dda23410b77983b1b0 100644 (file)
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -57,6 +57,10 @@ composites {
     MAIL_RU_MAILER_BASE64 {
         expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
     }
+    HACKED_WP_PHISHING {
+        expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
+        policy = "leave";
+    }
 
     .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
     .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"

diff --git a/conf/metrics.conf b/conf/metrics.conf
index a8eff289ceea2785c1b3714215647f69f2f71d78..bc39a7925a36d1df809c9f6e25df0d9b406d1c76 100644 (file)
--- a/conf/metrics.conf
+++ b/conf/metrics.conf
@@ -424,6 +424,10 @@ metric {
             weight = 7.0;
             description = "Phished URL found in phishtank.com";
         }
+        symbol HACKED_WP_PHISHING {
+            weight = 4.5;
+            description = "Phishing message from hacked wordpress";
+        }
     }
 
     group "hfilter" {