Feeds with Regex
We have a list of URL domains with regex expressions, these domains changes often, but it is still have a pattern so that we can match with regex expression.
Is it possible to upload a regex feed and then make them be readable as regex on app rule and/or ESA?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
There is another chance to match the suspicious domains using regex.
If you are using reporting engine in SA HEAD,
- you can make LIST containing the regex domains.
- you can make a rule to trigger the match
- you can make an alert if something triggered.
the domain can be identified as 'hostname' in SA.
you can use like this
hostname regex [$BADDOAMIN]
BADDOMAIN is a list created by you.
If any question for further, don't hesitate to leave any comments here.