We have a list of URL domains with regex expressions, these domains changes often, but it is still have a pattern so that we can match with regex expression.
Is it possible to upload a regex feed and then make them be readable as regex on app rule and/or ESA?
No. It is not possible to have a feed based on regular expressions. Feeds, and the underlaying csv file, would be exact matches.
Can you post an example?
There is another chance to match the suspicious domains using regex.
If you are using reporting engine in SA HEAD,
- you can make LIST containing the regex domains.
- you can make a rule to trigger the match
- you can make an alert if something triggered.
the domain can be identified as 'hostname' in SA.
you can use like this
hostname regex [$BADDOAMIN]
BADDOMAIN is a list created by you.
If any question for further, don't hesitate to leave any comments here.