[Oisf-users] wildcard in http_host

Victor Julien lists at inliniac.net
Wed Sep 20 12:18:20 UTC 2017

On 20-09-17 13:51, erik clark wrote:
> Is it possible to do a wildcard in http_host? I ask, because we have ssl
> broken out, so several sigs we have fire erroneously as phishing or
> whathaveyou. Being able to do something like:
> content:"*.irs.gov <http://irs.gov>";http_host; 
> would be helpful. Doing content:"irs.gov <http://irs.gov>"; http_host
> wouldnt work if it matches a pattern in the middle of the string,
> because phishing domains are likely to have some part of that domain in
> their hostname. We have about 30 phishing rules, and a few nonphishing
> rules, that we need to adjust for this, including linkedin and google
> template rules.

No wildcard, but this comes pretty close:

content:"irs.gov; http_host; isdataat:!1,relative;

It makes sure the host header ends in 'irs.gov'. It will also match on
'notirs.gov' though. Maybe a regex can fix that.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list