ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Lieutenant Commander
Lieutenant Commander
242 views

list matching

Good day 

I have web proxy url events populated and i want to check these populated urls against a list of domain 

i have created a local variable to get activelist value and match it against the populated event 

my problem is i can't check if the url populated CONTAINS any of the domain in my list 

i only have the option to match with the "=" sign  

hope you get my point 

0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi

Depending on your proxy type and how it is being parsed - have a look in the destinationHostName and also the RequestUrlHost field - that should be the domain data without all the additional query strings that you can then compare with your list?

 

0 Likes
Lieutenant Commander
Lieutenant Commander

in destinationHostName field you get

example:
www.facebook.com
www.google.com
community.microfocus.com

in my list i have

- facebook
- google
- microfocus

so no exact match and there is no way i can append and prepend www and com value to my list before comparing it

Knowledge Partner Knowledge Partner
Knowledge Partner

Hi

It may help to understand your use case for this list matching - is it a threat list or some other use?

First a word of warning....
For most threat lists of domains, the subdomain may be relevant to the threat - think of malware hosted on an AWS or Azure hosted server. Additionally - what about the TLD - Facebook.com = Good, Facebook.onion = maybe not good.

Also - stripping down to just the domain and doing a "Contains" will generate false positives and false negatives - think of all the malware domains that may use the name of a bank or google or other valid domains along with some extra text in their phishing domain.

and in other instances, the subdirectory or query may be relevant - i.e a piece of malware or a C2 Connection hosted on a valid domain such as GitHub / AWS etc

That said - to do what you want to achieve - you will need to play with variables to strip the www and .com from the destinationHostName and then compare against your list - along the lines of several local variables that find the index of the . and then strip the text, leaving just the first part of the domain name behind.

There will be scenario's that fail to work correctly by stripping the subdomain and TLD - but have a look and see if it suits your use case?

 

Lieutenant Commander
Lieutenant Commander

Hi 

I have already created a global variable and stripped the url to only the domain
by doing so my list matching only the domain and not subdomains 

this is why i needed to use the CONTAINS value and not the "=" value so i can match it 
my research lead to a dead-end in this matter all i could find is the "=" value

my scenario is not just for the proxy connector but i have a custom database connector that gets the following:
- device custom string 5: ABCD123123ABC
- my list contains: 3A

this is what i want to match so the solution to trip out the value in front of 3A will not work


 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.