Regular Expressions (RegEx) within Correlation rules
Trying to determine the proper regex format/strcuture that SSIM uses. I have used regex in the past with much success in other applications and event filters.
However, the SSIM rules seems to have a different allowable regex format. Example below.
Came across a malware streams with a specific format.
where the .php?info= and the _ are all in the same place with random letters and number within the URL.
A quick and dirty Regex to match this is the following.
The SSIM rules match is not catching any of the URLs with the pattern. I tried incrementally adding the pieces and get to the special characters ? = and _ with varying degrees of success using \ and \\ prior to the ? but not the other characters.