<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Can you help me with an example?<br>
    <br>
    Thanks<br>
    <br>
    PD<br>
    <br>
    <div class="moz-cite-prefix">On 12/01/2016 11:59, rmkml wrote:<br>
    </div>
    <blockquote
      cite="mid:ssoou5h7xkwsq6bsmsldk5of.1452596344069@email.android.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      Hi Paolo, 
      <div>Restrict FP with pcre U please. </div>
      <div>Regards </div>
      <div>@Rmkml </div>
      <div><br>
      </div>
      <div><br>
      </div>
      <br>
      <br>
      -------- Message d'origine --------<br>
      De : Paolo D'Angeli <a class="moz-txt-link-rfc2396E" href="mailto:paolo.dangeli@asdc.asi.it"><paolo.dangeli@asdc.asi.it></a> <br>
      Date : 12/01/2016 09:53 (GMT+01:00) <br>
      À : <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.openinfosecfoundation.org</a> <br>
      Objet : [Oisf-users] suricata rules for url matching <br>
      <br>
      I want write custom rule for identify access to specific domain
      and <br>
      subdomain (like example.com - example.com/blablabla - <br>
      subdomain.example.com - subdomain.example.com/blablabla ...).<br>
      <br>
      I try this:<br>
      <br>
      alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
      (msg:"ACCESS <br>
      BLOCKED SITE: example.com"; content:"GET"; depth:3; <br>
      content:"example.com"; http_uri; nocase; threshold: type limit,
      track <br>
      by_src, count 1, seconds 300; classtype:policy-violation; sid:600;
      rev<br>
      1;)<br>
      <br>
      It work fine, but match also when I visit url that contain
      "BLOCKED <br>
      SITE" like this GOODSITE/index.php?url=example.com<br>
      <br>
      How can I correct this rule?<br>
      <br>
      Thanks<br>
      <br>
      PD<br>
      <br>
      _______________________________________________<br>
      Suricata IDS Users mailing list:
      <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
      Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support:
      <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br>
      List:
      <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
      Suricata User Conference November 4 & 5 in Barcelona:
      <a class="moz-txt-link-freetext" href="http://oisfevents.net">http://oisfevents.net</a>
      <p class="" avgcert""="" color="#000000" align="left">Nessun virus
        nel messaggio.<br>
        Controllato da AVG - <a moz-do-not-send="true"
          href="http://www.avg.com">www.avg.com</a><br>
        Versione: 2016.0.7303 / Database dei virus: 4489/11381 - Data di
        rilascio: 12/01/2016</p>
    </blockquote>
    <br>
  </body>
</html>