We have a block request in place for "bigboy-analysis.com/cgi-bin/neo3/". What I see in the event is URL Domain = www[.]bigboy-analysis.com and URL = www[.]bigboy-analysis/cgi-bin/neo/<query string>. What I need is a field (parameter) that contains exactly the first string in the user defined log. I do not want the query string but just the portion of the URL that matched the blocked list, that is the bigboy-analysis.com/cgi/neo3 portion of the request in the user defined log. Perhaps calling the new field "blocked string" or something. Any ideas appreciated. New to the product
Are you asking to log URL.Host as a separate field in the log? And possibly URL.path?
set User-defined.logLine =
If the blocked list for URL's had a URL of http://badboy.com/cgi-bin/neo3 and the actual web request was for http://badboy.com/cgi-bin/neo3/aabbbccddeeffggti%/%5jfjfjfjfjfj....etc, i wanted a custom field or parameter to be called something like "block string matched" showing a value of "badboy.com/cgi-bin/neo3" in the user defined log. Not the full URL string in the request. We need this to run reports on blocked URL's that matched our blocked URL lists
It almost sounds like you want to look at the referrer header. For example, if you google 'ifconfig me' and click the link to the site, you see the referring URL. This way if the site redirects you can keep the original request. Then change the log to include that header information. I don't have a lab system handy, otherwise I would get you a sample rule set.
I think this old post is what I'm looking for
I want the actual URL that matched in the block list put in the user defined log that caused the rule to trigger. If I had a blocked URL list which included baddomain/cgi-bin/, then I want a parameter to put in my log with that value "baddomain/cgi-bin/ . Looking for the exact match that caused the rule to fire.
List.LastMatches seems to do what you want. You need to take care that the property does not get overwritten by other rules, it will only contain the "last" match that happened. In case you need to store more list matches you could use user-defined properties and fill them with the value of "List.LastMatches" while walking through the rule engine. So you can store the match for each list you compared against.
I guess it is more appropriate to just say I'm looking for a parameter (field) that puts in the name of the URL from the blocked URL list whenever a URL is blocked and have that field be put into my user defined log. I dont need to scrape the portion of the URL request, I just need the user defined log to show the blocked URL that was used in blocking a http request.
I sounds like you have a list of wildcard expressions, and you want to see which expression it actually matched on.
The List.LastMatches property should be able tell you that.
To clarify, justs need that portion of the URL string that exactly matched the blocked URL list under a new field in the user defined log.