OK so here my problem. I have some rules that I have created that are matching against certain criteria. Below is an example of such a rule.
service = 80 && alert = 'web_susp_act' && (risk.info != 'http direct to ip request','direct to ip http request' && risk.suspicious != 'http direct to ip request','direct to ip http request')
I want this rule to ignore anything from my internal domain so 'NTRS.com'
I tried adding the following to the end of this rule:
...http request' && alias.host !ends NTRS.com)
...http request' && alias.host !contains NTRS.com)
...http request' && alias.host regex (.+(?<!ntrs)\.com))
Can you tell me how I can accomplish this task?
The reason you are not seeing your rules accomplish anything is because the !ends and !contains do not work. What I would do is put at the top of the app rules a rule.
internal_domain
alias.host ends 'NTRS.com'
alert on alert
Because the rules process from top down you should be able to use this rule in a rule below it, I could be wrong. But then you would just need to add ...http request') && alert != 'internal_domain'.
Let me know if this works.