[Oisf-users] suricata rules for url matching
rmkml
rmkml at ligfy.org
Tue Jan 12 10:59:04 UTC 2016
Hi Paolo, Restrict FP with pcre U please. Regards @Rmkml
-------- Message d'origine --------
De : Paolo D'Angeli <paolo.dangeli at asdc.asi.it>
Date : 12/01/2016 09:53 (GMT+01:00)
À : oisf-users at lists.openinfosecfoundation.org
Objet : [Oisf-users] suricata rules for url matching
I want write custom rule for identify access to specific domain and
subdomain (like example.com - example.com/blablabla -
subdomain.example.com - subdomain.example.com/blablabla ...).
I try this:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS
BLOCKED SITE: example.com"; content:"GET"; depth:3;
content:"example.com"; http_uri; nocase; threshold: type limit, track
by_src, count 1, seconds 300; classtype:policy-violation; sid:600; rev
1;)
It work fine, but match also when I visit url that contain "BLOCKED
SITE" like this GOODSITE/index.php?url=example.com
How can I correct this rule?
Thanks
PD
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160112/30f4b444/attachment-0002.html>
More information about the Oisf-users
mailing list