2014-02-12 02:50 PM
I am trying to create an Informer rule that will feed a Informer alert. I am basically looking for a direct to IP http connection followed by a query string that contains a "/" followed by 44 alpha or numeric string. This is what I wrote as the rule:
query regex \/[a-z0-9]{44} && risk.suspicious = 'direct to ip http request'
It works but I am also getting stuff like the attached file being flagged. Can anyone tell me what I am doing wrong?
2014-02-13 12:49 PM
Do you have multiple "query" meta in the session that is flagged? If so, only one meta needs to hit in order to cause that session to return as a result.
2014-02-13 01:02 PM
Nope that is the only query for this session which is why I was confused. I can't see how this could have triggered.
2014-02-19 07:59 AM
Possibly hitting some limit that informer is setting without you knowing? I am using SA so I can't test it but on regexpal your correctly formatting everything.
2014-04-07 10:24 AM
can you share the pcap so maybe we can test?