jamesdris
Nov 24, 2015Nimbostratus
match regex in payload
iam trying to write a rule to search for a regex for any URL in HTTP::payload, this is what i am using:
when HTTP_REQUEST_DATA { if { [HTTP::payload] matches_regex {[(https?|ftp):\/\/..]} } { HTTP::respond 403 } }
But looks like this rule is matching anything in the payload whether URL or not. Any ideas would help.