[Oisf-users] suricata rules for url matching

rmkml rmkml at ligfy.org
Tue Jan 12 10:59:04 UTC 2016

Hi Paolo, Restrict FP with pcre U please. Regards @Rmkml 

-------- Message d'origine --------
De : Paolo D'Angeli <paolo.dangeli at asdc.asi.it> 
Date : 12/01/2016  09:53  (GMT+01:00) 
À : oisf-users at lists.openinfosecfoundation.org 
Objet : [Oisf-users] suricata rules for url matching 

I want write custom rule for identify access to specific domain and 
subdomain (like example.com - example.com/blablabla - 
subdomain.example.com - subdomain.example.com/blablabla ...).

I try this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS 
BLOCKED SITE: example.com"; content:"GET"; depth:3; 
content:"example.com"; http_uri; nocase; threshold: type limit, track 
by_src, count 1, seconds 300; classtype:policy-violation; sid:600; rev

It work fine, but match also when I visit url that contain "BLOCKED 
SITE" like this GOODSITE/index.php?url=example.com

How can I correct this rule?



Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160112/30f4b444/attachment-0002.html>

More information about the Oisf-users mailing list