public function domainRule($ruleFormat, $attribute, &$sid) { $overruled = $this->checkWhitelist($attribute['value']); $attribute['value'] = NidsExport::replaceIllegalChars($attribute['value']); // substitute chars not allowed in rule $content = 'content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"' . NidsExport::dnsNameToRawFormat($attribute['value']) . '"; fast_pattern; nocase;'; $this->rules[] = sprintf($ruleFormat, $overruled ? '#OVERRULED BY WHITELIST# ' : '', 'udp', 'any', 'any', '->', 'any', '53', 'Domain: ' . $attribute['value'], $content, '', $sid, 1); $sid++; $this->rules[] = sprintf($ruleFormat, $overruled ? '#OVERRULED BY WHITELIST# ' : '', 'tcp', 'any', 'any', '->', 'any', '53', 'Domain: ' . $attribute['value'], $content . ' flow:established;', '', $sid, 1); $sid++; // also do http requests, $content = 'flow:to_server,established; content: "Host|3a|"; nocase; http_header; content:"' . $attribute['value'] . '"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-])' . preg_quote($attribute['value']) . '[^A-Za-z0-9-\\.]/H";'; $this->rules[] = sprintf($ruleFormat, $overruled ? '#OVERRULED BY WHITELIST# ' : '', 'tcp', '$HOME_NET', 'any', '->', '$EXTERNAL_NET', '$HTTP_PORTS', 'Outgoing HTTP Domain: ' . $attribute['value'], $content, 'tag:session,600,seconds;', $sid, 1); }