Mailing List Archive

On Fri, 27 Feb 2004, Alton Danks wrote:

> Hello,
>
> Am I correct that Tripwire is case sensitive? A message with the following
> content did not score Tripwire.
>
> <!-- MKMQGTJVYVCPUNTOGZEEMZEMMMEQKSZRVQTPJQNIZKOBPPNAEGZKXZWWWNKYKX -->
> <!-- CKQGBAHKONVLGBZCHATYIUFIALWWHKEGGSFBIANDYTBUJCGPGIWZKDJLVXTEOLMYMQG -->
> <html>
> <head>
> <title>Untitled Document</title>
>
> </head>
> ...
>
>
> Looking at the Tripwire tests they appear to be case sensitive. Is there a
> reason for this? How would I modify the test to be case insensitive?
>
> body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/

just add a i to the regex:

body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/i

regards,
Matthias

On Fri, 27 Feb 2004, Matthias Fuhrmann wrote:

> On Fri, 27 Feb 2004, Alton Danks wrote:
>
> > Hello,
> >
> > Am I correct that Tripwire is case sensitive? A message with the following
> > content did not score Tripwire.
> >
> > <!-- MKMQGTJVYVCPUNTOGZEEMZEMMMEQKSZRVQTPJQNIZKOBPPNAEGZKXZWWWNKYKX -->
> > <!-- CKQGBAHKONVLGBZCHATYIUFIALWWHKEGGSFBIANDYTBUJCGPGIWZKDJLVXTEOLMYMQG -->
> > <html>
> > <head>
> > <title>Untitled Document</title>
> >
> > </head>
> > ...
> >
> >
> > Looking at the Tripwire tests they appear to be case sensitive. Is there a
> > reason for this? How would I modify the test to be case insensitive?
> >
> > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/
>
> just add a i to the regex:
>
> body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/i

oh, sorry, i at the end seems false.
but man perlre says this:
i Do case-insensitive pattern matching.

so a /i infront of your desiered letters might help.

regards,
Matthias

On Fri, 27 Feb 2004, Matthias Fuhrmann wrote:

> > > Looking at the Tripwire tests they appear to be case sensitive. Is there a
> > > reason for this? How would I modify the test to be case insensitive?
> > >
> > > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/
> >
> > just add a i to the regex:
> >
> > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/i
>
> oh, sorry, i at the end seems false.

Eh? Why do you say so? That should be exactly right.

> but man perlre says this:
> i Do case-insensitive pattern matching.
>
> so a /i infront of your desiered letters might help.

I don't know what you're suggesting, there.

On Fri, 27 Feb 2004, Bart Schaefer wrote:

> On Fri, 27 Feb 2004, Matthias Fuhrmann wrote:
>
> > > > Looking at the Tripwire tests they appear to be case sensitive. Is there a
> > > > reason for this? How would I modify the test to be case insensitive?
> > > >
> > > > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/
> > >
> > > just add a i to the regex:
> > >
> > > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/i
> >
> > oh, sorry, i at the end seems false.
>
> Eh? Why do you say so? That should be exactly right.
>
> > but man perlre says this:
> > i Do case-insensitive pattern matching.
> >
> > so a /i infront of your desiered letters might help.
>
> I don't know what you're suggesting, there.

now rereading, it seems ok ... :D

regards,
Matthias

From: "Matthias Fuhrmann" <Matthias.Fuhrmann@stud.uni-hannover.de>

> On Fri, 27 Feb 2004, Alton Danks wrote:
>
> > Hello,
> >
> > Am I correct that Tripwire is case sensitive? A message with the
following
> > content did not score Tripwire.
> >
> > <!-- MKMQGTJVYVCPUNTOGZEEMZEMMMEQKSZRVQTPJQNIZKOBPPNAEGZKXZWWWNKYKX -->
> > <!--
CKQGBAHKONVLGBZCHATYIUFIALWWHKEGGSFBIANDYTBUJCGPGIWZKDJLVXTEOLMYMQG -->
> > <html>
> > <head>
> > <title>Untitled Document</title>
> >
> > </head>
> > ...
> >
> >
> > Looking at the Tripwire tests they appear to be case sensitive. Is there
a
> > reason for this? How would I modify the test to be case insensitive?
> >
> > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/
>
> just add a i to the regex:
>
> body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/i

Matthias, if you do this mimed attachments will get tagged, too. Some
consider this a good idea. Others send software development related
zip files back and forth with their customers. So filtering the base64
coding would be a bad thing, perhaps a very bad thing.

IMAO one should filter spam with spam filters and filter pathogens
with pathogen filters. I've violated this principle twice with a
couple particular piece of nonsense that were over 100k that was
clogging my mailbox when I was on the road with 56k dialups. I
found a working signature line in the files and built a redirector
into procmail to save them in a junk box.

So far I am happy working that way. I lose nothing important. And I
have my spam tossed aside for a quick vetting before I toss it.

{^_^}

On Fri, 27 Feb 2004, jdow wrote:

> From: "Matthias Fuhrmann" <Matthias.Fuhrmann@stud.uni-hannover.de>
>
> > just add a i to the regex:
> >
> > body TW_AJ /[-<!\s]\w{0,10}aj[fqtvxz]\w{0,10}[->\s]/i
>
> Matthias, if you do this mimed attachments will get tagged, too.

No, they won't. Note the [-<!\s] and [->\s] in the regex. Those are
characters guaranteed not to appear in an encoded attachment, so the
regex won't match them.

> IMAO one should filter spam with spam filters and filter pathogens
> with pathogen filters.

Agreed, but that has nothing to do with this at all. Tripwire looks for
garbage fake HTML tags and other random non-words that have been sprinked
into a message as hash-busters.

Alton Danks wrote:
> Hello,
>
> Am I correct that Tripwire is case sensitive? A message with the
> following content did not score Tripwire.
>

This was intentional as to not hit proper abbreviations like ABC, NBC, CBS,
etc.. Also to avoid hitting all the airports in the world, as they all use 3
letter call signs. A few other reasons came up but this was the majority of
them..