• 2 replies
  • Latest Post - ‏2016-08-03T21:33:36Z by farid_EXC
4 Posts

Pinned topic How to build a Building Block of Regular Expressions

‏2014-01-27T15:49:22Z | blocks building regex

I am trying to build a building block of regular expressions that I then use in a rule to alert on. The Building Block will be to match the URL property coming from my proxies against the regular expression to catch Command and Control URLs or other dynamic malicious URLs. I found the test in the Building Block that states "when any of these properties match this regular expression". This will work for one regex url, but not for a list. Has anyone been able to build a list of regular expressions to alert on. I also looked in the reference sets, but none of the reference set tests in the rule wizard match against regular expression.

  • Jason Keirstead (IBM)
    7 Posts

    Re: How to build a Building Block of Regular Expressions


    You should be able to accomplish this test by  using the "when the event matches this search filter" test, and use the Payload Matches Regular Expression [is any of] test, and enter your list of regular expressions in there.

    The only catch is, I assume you want to import these regaulr expressions in from some external list on an on-going basis. To do that functionality would need some lower-level knowledge on how to import that list into the rule.. professional services could set that up.

    A much cleaner way would be for us to allow you to select "[is in reference set]" in the search parameters. This is an interesing FR, I would reccomend adding it to the FR system so that it can be tracked.

  • farid_EXC
    1 Post

    Re: How to build a Building Block of Regular Expressions



    Did you have any update on this topic since 2014 ? ... especially concerning the regex reference set.