RSA Admin

Simple set of parsers for Domain based filter/truncation rules

Discussion created by RSA Admin Employee on Sep 18, 2013

The attached zip contains 4 parsers based on Gary Golomb's original lists_filters parser.  I've broken out the parser into categories, making it easier to filter or truncate the specific type of traffic via a Application Rules. All the parsers are looking at the "Host:" entry from a Web session, creating meta under the risk.info key based on the parser name.

 

update_filters.parser

  • Common update site domains can be put in this parser to to be used in an application rule to either filter just executables (to replace all the "Live" filter rules from CMS), to filter out the sites entirely, or to truncate the payloads to save disk space, if meta creation is still desired.

 

media_filters.parser

  • Primarily used for truncating the payload of streaming media sites, like youtube, netflix, pandora, etc.

 

news_filters.parser

  • Primarily used to either filtering or truncating traffic from common news portals, like MSNBC, CNN, etc.

 

ad_filters.parser

  • Common advertising domains can be put in this parser for filtering or truncating the traffic, but with the advent of ad site malware, I've been using it to drill into advertising traffic looking for any malicious traffic to build additional content from.

Attachments

Outcomes