AnsweredAssumed Answered

Regex to many hits

Question asked by NTRSPhil on Feb 12, 2014
Latest reply on Apr 7, 2014 by huan zhou

I am trying to create an Informer rule that will feed a Informer alert.  I am basically looking for a direct to IP http connection followed by a query string that contains a "/" followed by 44 alpha or numeric string.  This is what I wrote as the rule:

 

query regex \/[a-z0-9]{44} && risk.suspicious = 'direct to ip http request'

 

It works but I am also getting stuff like the attached file being flagged.  Can anyone tell me what I am doing wrong?

Attachments

Outcomes