[Oisf-users] wildcard in http_host
Victor Julien
lists at inliniac.net
Wed Sep 20 12:18:20 UTC 2017
On 20-09-17 13:51, erik clark wrote:
> Is it possible to do a wildcard in http_host? I ask, because we have ssl
> broken out, so several sigs we have fire erroneously as phishing or
> whathaveyou. Being able to do something like:
>
> content:"*.irs.gov <http://irs.gov>";http_host;
>
> would be helpful. Doing content:"irs.gov <http://irs.gov>"; http_host
> wouldnt work if it matches a pattern in the middle of the string,
> because phishing domains are likely to have some part of that domain in
> their hostname. We have about 30 phishing rules, and a few nonphishing
> rules, that we need to adjust for this, including linkedin and google
> template rules.
No wildcard, but this comes pretty close:
content:"irs.gov; http_host; isdataat:!1,relative;
It makes sure the host header ends in 'irs.gov'. It will also match on
'notirs.gov' though. Maybe a regex can fix that.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list