This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nkr
Participant
‎2021-11-05 02:35 AM

URL's containing wildcards

Hi CheckMates!
(R80.40) I’m trying to create rules to access sites like:
gocart-web-prod-*.elb.amazonaws.com

sharedcloud-production*.s3.amazonaws.com

acpprodva7apollo.blob.core.windows.net/acp-prod-va7-data*

platform-cs*.adobe.io

acp-ss-*.adobe.io

ss-*-notif*.aws.adobess.com

cc-api-image.adobe.io/createagc

cc-api-image-x.adobe.io/agctosvg

platform-cs*.adobe.io

 

I have tried creating these as domain objects, but the wildcard within the url seems to be an issue, when using these custom domain objects.
I have also tried using them in custom applications/sites as non-regexp, but again without success.

How do I go about using url’s in the rulebase containing wildcards (*) somewhere within the url?

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-11-05 03:22 AM

Wildcards can only used as the first character and should be avoided, see sk165094: Custom Applications/Sites - Best practice

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Nkr
Participant
‎2021-11-05 05:40 AM
In response to G_W_Albrecht

Is there another way of implementing these URL's in the policy using wildcards?
Or am I forced to get each possible URL?

(e.g. "example*.com" corresponds to "example1.com", "example2.com" etc. etc..)

0 Kudos
PhoneBoy
Admin
Admin
‎2021-11-05 07:17 AM
In response to Nkr

You cannot create it as a Domain Object.
You must create it as a Custom Application/Site, which limits you to detection via HTTP/HTTPS.
For anything beyond a hostname (ie a specific URL), HTTPS Inspection will absolutely be required.
However, you can use wildcards.

0 Kudos
Wolfgang
Authority
Authority
‎2021-11-05 07:20 AM
In response to Nkr

Have a look at @G_W_Albrecht mentioned sk165094, use regular expressions.

0 Kudos
Nkr
Participant
‎2021-11-08 02:30 AM
In response to Wolfgang

I've been through that, but maybe I'm not getting the syntax right.

To my knowledge, the syntax for a wildcard in regular expression would be /.*/
So as for "example*.com" it would be "example/.*/.com" or something along those lines. Doesn't to the trick though. Could anyone be helpful with the exact syntax for such an expression?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-11-08 03:21 AM
In response to Nkr

example/.*/.com is invalid: wrong escape character, and * is defined as matches the previous token between zero and unlimited times, as many times as possible, giving back as needed (greedy)

So the correct RegEx is:

example\.\w*\.com

that will match e.g. example.amazon.com

Try using https://regex101.com/ that also contains the complete RegEx syntax - here you can see if it matches what it should very easily and if not, why...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top