On Fri, Sep 19, 2014 at 2:59 PM, John Hardin <jhar...@impsec.org> wrote:
> On Fri, 19 Sep 2014, francis picabia wrote: > > On Tue, Sep 16, 2014 at 5:27 PM, John Hardin <jhar...@impsec.org> wrote: >> >> On Tue, 16 Sep 2014, francis picabia wrote: >>> >>> Hello, >>> >>>> >>>> We just received the most authentic looking phishing I've seen. It was >>>> professionally written, included a nice signature in the style used by >>>> people at my workplace, and the target link was an exact replica of an >>>> ezproxy website we run. >>>> >>>> The URL domain was only different by a few letters. I'm thinking we >>>> will >>>> see more of these. So here is a question perhaps someone can solve and >>>> many of us can benefit from... >>>> >>>> How can I make a uri rule which matches >>>> >>>> example.com.junk/ >>>> but does not match >>>> example.com/ >>>> >>>> >>> uri URI_EXAMPLE_EXTRA m;^https?://(?:www\.)?example\.com[^/?];i >>> >> >> >> That's a great one liner. I'm glad I asked. Thank you for this. >> > > Warning: I did not actually test it. Please test it before putting it into > production. > > Yes, understood. I did test and it seemed to work OK. However another spoofed message was received today and the rule did not capture it. If I want to detect something in the form of: random_server.example.com.junk I need to wildcard the first bit. Would that be: uri URI_EXAMPLE_EXTRA m;^https?://(?:.*\.)?example\.com[^/?];i I don't understand what the question mark and colon does inside the ( ) I thought it followed an optional char or expression. Should it be like this? uri URI_EXAMPLE_EXTRA m;^https?://(.*\.)?example\.com[^/?];i