Hi Gregg,
Sorry, I was misinterpreting what the domain command would return if the number of fields specified was greater than the number of fields in the input string. string match should work though. I edited the examples above to use string match. Can you try that?
Here is an example of how to test for at least three fields in the host header:
when RULE_INIT {
domain returns up to the number of fields specified in the count parameter
log local0. "\[domain 10.11.12.13 3\]: [domain 10.11.12.13 3]"
log local0. "\[domain test.sub.example.com 3\]: [domain test.sub.example.com 3]"
log local0. "\[domain sub.example.com 3\]: [domain sub.example.com 3]"
log local0. "\[domain example.com 3\]: [domain example.com 3]"
string match matches three or more fields with a pattern of *.*.*
log local0. "\[string match *.*.* 10.11.12.13\]: [string match *.*.* 10.11.12.13]"
log local0. "\[string match *.*.* test.sub.example.com\]: [string match *.*.* test.sub.example.com]"
log local0. "\[string match *.*.* sub.example.com\]: [string match *.*.* sub.example.com]"
log local0. "\[string match *.*.* example.com\]: [string match *.*.* example.com]"
log local0. "\[string match *.*.* com\]: [string match *.*.* com]"
}
Log output:
: [domain 10.11.12.13 3]: 11.12.13
: [domain test.sub.example.com 3]: sub.example.com
: [domain sub.example.com 3]: sub.example.com
: [domain example.com 3]: example.com
: [string match *.*.* 10.11.12.13]: 1
: [string match *.*.* test.sub.example.com]: 1
: [string match *.*.* sub.example.com]: 1
: [string match *.*.* example.com]: 0
: [string match *.*.* com]: 0
Aaron