I modified some of the rules for Event id 3 (Network connection initiated) and Event id 22 (DNS query) to remove potential bypasses.
Multiple check were done on incomplete hostnames like <DestinationHostname condition="end with">amazontrust.com</DestinationHostname>. If somebody registers notamazontrust.com, it would still match the rule and would not show up in the collected events.
I split those rules in two different matches to match either amazontrust.com or its subdomains :
I modified some of the rules for Event id 3 (Network connection initiated) and Event id 22 (DNS query) to remove potential bypasses.
Multiple check were done on incomplete hostnames like
<DestinationHostname condition="end with">amazontrust.com</DestinationHostname>. If somebody registersnotamazontrust.com, it would still match the rule and would not show up in the collected events. I split those rules in two different matches to match eitheramazontrust.comor its subdomains :