[Oisf-users] suricata rules for url matching
Paolo D'Angeli
paolo.dangeli at asdc.asi.it
Tue Jan 12 11:06:51 UTC 2016
Can you help me with an example?
Thanks
PD
On 12/01/2016 11:59, rmkml wrote:
> Hi Paolo,
> Restrict FP with pcre U please.
> Regards
> @Rmkml
>
>
>
>
> -------- Message d'origine --------
> De : Paolo D'Angeli <paolo.dangeli at asdc.asi.it>
> Date : 12/01/2016 09:53 (GMT+01:00)
> À : oisf-users at lists.openinfosecfoundation.org
> Objet : [Oisf-users] suricata rules for url matching
>
> I want write custom rule for identify access to specific domain and
> subdomain (like example.com - example.com/blablabla -
> subdomain.example.com - subdomain.example.com/blablabla ...).
>
> I try this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ACCESS
> BLOCKED SITE: example.com"; content:"GET"; depth:3;
> content:"example.com"; http_uri; nocase; threshold: type limit, track
> by_src, count 1, seconds 300; classtype:policy-violation; sid:600; rev
> 1;)
>
> It work fine, but match also when I visit url that contain "BLOCKED
> SITE" like this GOODSITE/index.php?url=example.com
>
> How can I correct this rule?
>
> Thanks
>
> PD
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
> Nessun virus nel messaggio.
> Controllato da AVG - www.avg.com <http://www.avg.com>
> Versione: 2016.0.7303 / Database dei virus: 4489/11381 - Data di
> rilascio: 12/01/2016
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160112/962e3567/attachment-0002.html>
More information about the Oisf-users
mailing list