I am trying to build a building block of regular expressions that I then use in a rule to alert on. The Building Block will be to match the URL property coming from my proxies against the regular expression to catch Command and Control URLs or other dynamic malicious URLs. I found the test in the Building Block that states "when any of these properties match this regular expression". This will work for one regex url, but not for a list. Has anyone been able to build a list of regular expressions to alert on. I also looked in the reference sets, but none of the reference set tests in the rule wizard match against regular expression.
Jason Keirstead (IBM) 270004YK467 Posts
Re: How to build a Building Block of Regular Expressions2014-02-05T20:25:43ZThis is the accepted answer. This is the accepted answer.
You should be able to accomplish this test by using the "when the event matches this search filter" test, and use the Payload Matches Regular Expression [is any of] test, and enter your list of regular expressions in there.
The only catch is, I assume you want to import these regaulr expressions in from some external list on an on-going basis. To do that functionality would need some lower-level knowledge on how to import that list into the rule.. professional services could set that up.
A much cleaner way would be for us to allow you to select "[is in reference set]" in the search parameters. This is an interesing FR, I would reccomend adding it to the FR system so that it can be tracked.