Thanks again for the help. I did notice the site was much slower to load.
The issue we are having is the site landing page is http://mycompany.com/
I have no way to defince / without giving access to everything after it. I have this working on a test site that I just put up that has a different landing page (http://mycompany.com/en-us and all seems to be working ok.
there is only one string in the SplunkTest data group for /en-us but the site and rule work as expected. Anyone have any ideas how to allow the root?
when HTTP_REQUEST {
if { ![class match [string tolower [HTTP::uri]] starts_with SplunkTest] } {
HTTP::respond 200 content "ErrorPERMISSION DENIED TO: [HTTP::uri]"
}
}
I look forward to hearing back from you
Jeff