[Oisf-users] suricata rules for url matching
Paolo D'Angeli
paolo.dangeli at asdc.asi.it
Tue Jan 12 08:53:20 UTC 2016
I want write custom rule for identify access to specific domain and
subdomain (like example.com - example.com/blablabla -
subdomain.example.com - subdomain.example.com/blablabla ...).
I try this:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS
BLOCKED SITE: example.com"; content:"GET"; depth:3;
content:"example.com"; http_uri; nocase; threshold: type limit, track
by_src, count 1, seconds 300; classtype:policy-violation; sid:600; rev
1;)
It work fine, but match also when I visit url that contain "BLOCKED
SITE" like this GOODSITE/index.php?url=example.com
How can I correct this rule?
Thanks
PD
More information about the Oisf-users
mailing list