You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Looking through some ET rules, there are rules with multiple content fields (ex. ... dns.query; content:"ipfs"; content:".translate.goog"; ...), but when parsed by idstools only one is returned:
Ex:
from idstools import rule
input = """alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspicious IPFS Domain Rewritten with Google Translate"; dns.query; content:"ipfs"; content:".translate.goog"; distance:0; endswith; fast_pattern; reference:url,vadesecure.com/en/blog/new-phishing-attack-leverages-google-translate-and-ipfs-decentralized-network; classtype:credential-theft; sid:2046638; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_23, deployment Perimeter, confidence Medium, signature_severity Major, tag Phishing, updated_at 2023_06_23;)"""
parsed_rule = rule.parse(input)
print(parsed_rule.content)
prints only ".translate.goog". Would a more accurate result be to print an array containing both "ipfs" and ".translate.goog"? That would be a breaking change though... :(
The text was updated successfully, but these errors were encountered:
Looking through some ET rules, there are rules with multiple
contentfields (ex.... dns.query; content:"ipfs"; content:".translate.goog"; ...), but when parsed by idstools only one is returned:Ex:
prints only
".translate.goog". Would a more accurate result be to print an array containing both"ipfs"and".translate.goog"? That would be a breaking change though... :(The text was updated successfully, but these errors were encountered: