[Oisf-users] suricata rules for url matching

Paolo D'Angeli paolo.dangeli at asdc.asi.it
Tue Jan 12 08:53:20 UTC 2016

I want write custom rule for identify access to specific domain and 
subdomain (like example.com - example.com/blablabla - 
subdomain.example.com - subdomain.example.com/blablabla ...).

I try this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS 
BLOCKED SITE: example.com"; content:"GET"; depth:3; 
content:"example.com"; http_uri; nocase; threshold: type limit, track 
by_src, count 1, seconds 300; classtype:policy-violation; sid:600; rev

It work fine, but match also when I visit url that contain "BLOCKED 
SITE" like this GOODSITE/index.php?url=example.com

How can I correct this rule?



More information about the Oisf-users mailing list