From d10012653e3fc6447461b7920fef24eca2985b00 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 9 Mar 2017 15:38:02 +0000 Subject: [Conf] Add composite for hacked wordpress phishing --- conf/composites.conf | 4 ++++ conf/metrics.conf | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'conf') diff --git a/conf/composites.conf b/conf/composites.conf index 288b08d58..9565ae489 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -57,6 +57,10 @@ composites { MAIL_RU_MAILER_BASE64 { expression = "MAIL_RU_MAILER & (FROM_EXCESS_BASE64 | REPLYTO_EXCESS_BASE64 | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)"; } + HACKED_WP_PHISHING { + expression = "HAS_X_POS & HAS_WP_URI & PHISHING"; + policy = "leave"; + } .include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf" .include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf" diff --git a/conf/metrics.conf b/conf/metrics.conf index a8eff289c..bc39a7925 100644 --- a/conf/metrics.conf +++ b/conf/metrics.conf @@ -424,6 +424,10 @@ metric { weight = 7.0; description = "Phished URL found in phishtank.com"; } + symbol HACKED_WP_PHISHING { + weight = 4.5; + description = "Phishing message from hacked wordpress"; + } } group "hfilter" { -- cgit v1.2.3