cancel
Showing results for 
Search instead for 
Did you mean: 
kevion
Level 7

Contains Pattern for lists

Jump to solution

I import a list of over 1000 malware domains, URL, paths, or file names.

There are too many entries to put a "*" wildcard at the beginning and end of each entry.  I was hoping to have an rule criteria that would be similar to a "contain" option.  This would allow me to import a new updated list without having to manually enter a "*" for each entry.

Currently, the rule set is URL matches in list "BAD List" to block anything that matches.

*bad domain*

*bad server?.bad url*

*bad domain/path*

*bad url/path*

*bad file name.exe*

*bad file name*

*bad path name pattern*

Thanks in advance!

0 Kudos
1 Solution

Accepted Solutions
mixmasterm
Level 7

Re: Contains Pattern for lists

Jump to solution

Unfortunately it’s not going to work the way you’re hoping for, the wildcards need to be explicitly defined for URL related lists.  There is a contains operator for some data types, I’m not sure why it was restricted for use with URLs.

It’s not that much of a burden though, you can use a tool like notepad++ to insert leading and trailing “*”s to an existing text document pretty easily.  Then you can copy/paste into the MWG using the “add multiple” or use the  “append from file” option or subscribe to the list if it is hosted externally.

In notepad++:

Leading *: Place cursor at beginning of first line.  Edit -> Column Editor, Text to Insert = “*” (quotation marks for documentation only) -> OK.

Trailing *: Search -> Replace: in Search Mode (bottom left) select “Extended”, Find what = “\r”, Replace with = “*” -> Replace All

You might consider breaking it into separate lists of hostnames, paths, file names, and whole URLs to make management easier in the future.  Also, when building the rule be careful in selecting the correct property for what you’re actually looking for.  Ie: URL.host vs URL.path vs URL.filename vs (whole)URL , etc.

0 Kudos
4 Replies
VriendP
Level 7

Re: Contains Pattern for lists

Jump to solution

Unless you have good reason specific to your environment to want to use that list in MWG, I would personally choose to avoid that path and instead rely on GTI, unless your URLs are uncategorized. In which case, they should be categorized.

Perhaps this link can be of some help, although I didn't try it myself: http://trustedsource.org/en/feedback/url

You should be able to check your list of URLs against trustedsource and at least be able to remove some entries from it. It's much more efficiënt in both time and resources to use GTI for blocking this type of URL than it would be to let your appliance do all the work.

0 Kudos
kevion
Level 7

Re: Contains Pattern for lists

Jump to solution

We need to use a specific list along with the GTI.

0 Kudos
mixmasterm
Level 7

Re: Contains Pattern for lists

Jump to solution

Unfortunately it’s not going to work the way you’re hoping for, the wildcards need to be explicitly defined for URL related lists.  There is a contains operator for some data types, I’m not sure why it was restricted for use with URLs.

It’s not that much of a burden though, you can use a tool like notepad++ to insert leading and trailing “*”s to an existing text document pretty easily.  Then you can copy/paste into the MWG using the “add multiple” or use the  “append from file” option or subscribe to the list if it is hosted externally.

In notepad++:

Leading *: Place cursor at beginning of first line.  Edit -> Column Editor, Text to Insert = “*” (quotation marks for documentation only) -> OK.

Trailing *: Search -> Replace: in Search Mode (bottom left) select “Extended”, Find what = “\r”, Replace with = “*” -> Replace All

You might consider breaking it into separate lists of hostnames, paths, file names, and whole URLs to make management easier in the future.  Also, when building the rule be careful in selecting the correct property for what you’re actually looking for.  Ie: URL.host vs URL.path vs URL.filename vs (whole)URL , etc.

0 Kudos
eelsasser
Level 15

Re: Contains Pattern for lists

Jump to solution

FYI,

with 7.4.1, there will be a SmartMatch property that should cover almost all of those use-cases.

domain.tld

domain.tld/path

host.domain.tld

http://www.domain.tld/path

...etc.