From 088aaea40e1c7cd9087e21605c26d6bd439b5ef0 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Sat, 26 Nov 2016 14:51:19 +0000 Subject: [PATCH] [Fix] Remove or fix hyperscan incompatible regexps --- rules/regexp/compromised_hosts.lua | 2 +- rules/regexp/headers.lua | 9 +-------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua index 69e77742f..e5e6e6aec 100644 --- a/rules/regexp/compromised_hosts.lua +++ b/rules/regexp/compromised_hosts.lua @@ -97,7 +97,7 @@ reconf['HAS_WP_URI'] = { } reconf['WP_COMPROMISED'] = { - re = '/\\/wp-(?!content|includes)[^\\/]+\\//Ui', + re = '/\\/wp-(?:content|includes)[^\\/]+\\//Ui', description = "URL that is pointing to a compromised WordPress installation", score = 5.0, group = "compromised_hosts" diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua index 71116ebe5..9c47eaeef 100644 --- a/rules/regexp/headers.lua +++ b/rules/regexp/headers.lua @@ -778,13 +778,6 @@ reconf['FORGED_GENERIC_RECEIVED4'] = { group = 'header' } -reconf['FORGED_GENERIC_RECEIVED5'] = { - re = 'Received=/\\s*from \\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\].*\\n(.+\\n)*\\s*from \\1 by \\S+;\\s+\\w{3}, \\d+ \\w{3} 20\\d\\d \\d\\d\\:\\d\\d\\:\\d\\d [+-]\\d\\d\\d0$/X', - score = 4.6, - description = 'Forged generic Received', - group = 'header' -} - reconf['INVALID_POSTFIX_RECEIVED'] = { re = 'Received=/ \\(Postfix\\) with ESMTP id [A-Z\\d]+([\\s\\r\\n]+for <\\S+?>)?;[\\s\\r\\n]*[A-Z][a-z]{2}, \\d{1,2} [A-Z][a-z]{2} \\d\\d\\d\\d \\d\\d:\\d\\d:\\d\\d [\\+\\-]\\d\\d\\d\\d$/X', score = 3.0, @@ -875,7 +868,7 @@ reconf['SUBJECT_HAS_QUESTION'] = { } reconf['SUBJECT_HAS_CURRENCY'] = { - re = 'Subject=/$€$¢¥₽/H', + re = 'Subject=/[$€$¢¥₽]/Hu', description = 'Subject contains currency', score = 1.0, group = 'headers' -- 2.39.5