cancel
Showing results for 
Search instead for 
Did you mean: 
wpkm
Level 7

Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

We have a block request in place for "bigboy-analysis.com/cgi-bin/neo3/". What I see in the event is URL Domain =  www[.]bigboy-analysis.com and URL = www[.]bigboy-analysis/cgi-bin/neo/<query string>. What I need is a field (parameter) that contains exactly the first string in the user defined log. I do not want the query string but just the portion of the URL that matched the blocked list, that is the bigboy-analysis.com/cgi/neo3 portion of the request in the user defined log. Perhaps calling the new field "blocked string" or something. Any ideas appreciated. New to the product

0 Kudos
8 Replies
eelsasser
Level 15

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

Are you asking to log URL.Host as a separate field in the log? And possibly URL.path?

set User-defined.logLine =

...

+"

+URL.Host

+URL.Path

+"

...

0 Kudos
wpkm
Level 7

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

If the blocked list for URL's had a URL of  http://badboy.com/cgi-bin/neo3  and the actual web request was for http://badboy.com/cgi-bin/neo3/aabbbccddeeffggti%/%5jfjfjfjfjfj....etc, i wanted a custom field or parameter to be called something like "block string matched" showing a value of "badboy.com/cgi-bin/neo3" in the user defined log. Not the full URL string in the request. We need this to run reports on blocked URL's that matched our blocked URL lists

0 Kudos
andyclements
Level 12

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

It almost sounds like you want to look at the referrer header.  For example, if you google 'ifconfig me' and click the link to the site, you see the referring URL.  This way if the site redirects you can keep the original request.  Then change the log to include that header information.  I don't have a lab system handy, otherwise I would get you a sample rule set.

0 Kudos
wpkm
Level 7

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

I think this old post is what I'm looking for

https://community.mcafee.com/message/207085#207085

I want the actual URL that matched in the block list put  in the user defined log that caused the rule to trigger. If I had a blocked URL list which included baddomain/cgi-bin/, then I want a parameter to put in my log with that value "baddomain/cgi-bin/ . Looking for the exact match that caused the rule to fire.

0 Kudos
asabban
Level 17

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

Hello,

List.LastMatches seems to do what you want. You need to take care that the property does not get overwritten by other rules, it will only contain the "last" match that happened. In case you need to store more list matches you could use user-defined properties and fill them with the value of "List.LastMatches" while walking through the rule engine. So you can store the match for each list you compared against.

Best,

Andre

0 Kudos
wpkm
Level 7

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

I guess it is more appropriate to just say I'm looking for a parameter (field) that puts in the name of the URL from the blocked URL list whenever a URL is blocked and have that field be put into my user defined log. I dont need to scrape the portion of the URL request, I just need the user defined log to show the blocked URL that was used in blocking a http request.

0 Kudos
eelsasser
Level 15

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

I sounds like you have a list of wildcard expressions, and you want to see which expression it actually matched on.

The List.LastMatches  property should be able tell you that.

0 Kudos
wpkm
Level 7

Re: Need user-defined log line to show the actual blocked URL string that matched a blocked HTTP request

To clarify, justs need that portion of the URL string that exactly matched the blocked URL list under a new field in the user defined log.

0 Kudos