[Oisf-users] wildcard in http_host
erik clark
philosnef at gmail.com
Wed Sep 20 11:51:09 UTC 2017
Is it possible to do a wildcard in http_host? I ask, because we have ssl
broken out, so several sigs we have fire erroneously as phishing or
whathaveyou. Being able to do something like:
content:"*.irs.gov";http_host;
would be helpful. Doing content:"irs.gov"; http_host wouldnt work if it
matches a pattern in the middle of the string, because phishing domains are
likely to have some part of that domain in their hostname. We have about 30
phishing rules, and a few nonphishing rules, that we need to adjust for
this, including linkedin and google template rules.
Dropping the rules isn't an option, since we have many times seen
successful https phishes for some of these domains. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170920/f1324522/attachment.html>
More information about the Oisf-users
mailing list