search

pymumu / smartdns

A local DNS server to obtain the fastest website IP for the best Internet experience, support DoT, DoH. 一个本地DNS服务器,获取最快的网站IP,获得最佳上网体验,支持DoH,DoT。
https://pymumu.github.io/smartdns/
GNU General Public License v3.0
7.92k stars 1.05k forks source link

【正则匹配】域名规则有没有可能支持正则配置? #1759

Open ZqinKing opened 2 weeks ago

ZqinKing commented 2 weeks ago

需求应用场景 请描述需求应用的场景和方式。

将ET情报规则中预警的DNS请求提取成smartdns规则时遇到一些问题。 如以下这条规则: alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)

这条规则对core.windows.net这个后缀的域名做了部分前缀的排除。而且实际情况中onedrivecl(xxxxxxx)中间的字符是变动的,不太能枚举。这种情况下当前配置有办法配置出符合这个规则的配置吗?