You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
将ET情报规则中预警的DNS请求提取成smartdns规则时遇到一些问题。
如以下这条规则:
alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
需求应用场景
请描述需求应用的场景和方式。
将ET情报规则中预警的DNS请求提取成smartdns规则时遇到一些问题。
如以下这条规则:
alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
这条规则对core.windows.net这个后缀的域名做了部分前缀的排除。而且实际情况中onedrivecl(xxxxxxx)中间的字符是变动的,不太能枚举。这种情况下当前配置有办法配置出符合这个规则的配置吗?
The text was updated successfully, but these errors were encountered: