4 Replies Latest reply on Jan 23, 2014 1:26 PM by eelsasser

    Contains Pattern for lists

    kevion

      I import a list of over 1000 malware domains, URL, paths, or file names.

       

      There are too many entries to put a "*" wildcard at the beginning and end of each entry.  I was hoping to have an rule criteria that would be similar to a "contain" option.  This would allow me to import a new updated list without having to manually enter a "*" for each entry.

       

      Currently, the rule set is URL matches in list "BAD List" to block anything that matches.

       

      *bad domain*

      *bad server?.bad url*

      *bad domain/path*

      *bad url/path*

      *bad file name.exe*

      *bad file name*

      *bad path name pattern*

       

       

      Thanks in advance!

        • 1. Re: Contains Pattern for lists
          VriendP

          Unless you have good reason specific to your environment to want to use that list in MWG, I would personally choose to avoid that path and instead rely on GTI, unless your URLs are uncategorized. In which case, they should be categorized.

           

          Perhaps this link can be of some help, although I didn't try it myself: http://trustedsource.org/en/feedback/url

           

          You should be able to check your list of URLs against trustedsource and at least be able to remove some entries from it. It's much more efficiënt in both time and resources to use GTI for blocking this type of URL than it would be to let your appliance do all the work.

          • 2. Re: Contains Pattern for lists
            kevion

            We need to use a specific list along with the GTI.

            • 3. Re: Contains Pattern for lists
              mixmasterm

              Unfortunately it’s not going to work the way you’re hoping for, the wildcards need to be explicitly defined for URL related lists.  There is a contains operator for some data types, I’m not sure why it was restricted for use with URLs.

               

              It’s not that much of a burden though, you can use a tool like notepad++ to insert leading and trailing “*”s to an existing text document pretty easily.  Then you can copy/paste into the MWG using the “add multiple” or use the  “append from file” option or subscribe to the list if it is hosted externally.

               

              In notepad++:

              Leading *: Place cursor at beginning of first line.  Edit -> Column Editor, Text to Insert = “*” (quotation marks for documentation only) -> OK.

              Trailing *: Search -> Replace: in Search Mode (bottom left) select “Extended”, Find what = “\r”, Replace with = “*” -> Replace All

               

              You might consider breaking it into separate lists of hostnames, paths, file names, and whole URLs to make management easier in the future.  Also, when building the rule be careful in selecting the correct property for what you’re actually looking for.  Ie: URL.host vs URL.path vs URL.filename vs (whole)URL , etc.

              • 4. Re: Contains Pattern for lists

                FYI,

                with 7.4.1, there will be a SmartMatch property that should cover almost all of those use-cases.

                 

                domain.tld

                domain.tld/path

                host.domain.tld

                http://www.domain.tld/path

                 

                ...etc.

                1 of 1 people found this helpful