Hi Jim

I use IDS MC 1.2 and it doesn't has the engine STRING.HTTP.

I used STRING.TCP and the string letters (RegexString) between brackets but it didn't work.

About the DNS I don't think it is effective because the employees could use the IP address or use another DNS server.

I am waiting another idea from you.

Thanks.

What was your RegexString that you tried?

Give me a specific example of a URL you want to block. Of course, if the user uses an IP Address, then you won't get the URL in the HTTP Headers, anyway.

OOPS. My bad. I meant SERVICE.HTTP in my earlier post.

One URL I want to reset is www.parperfeito.com.br so the string to be reset would be parperfeito.

Try:

[Pp][Aa][Rr][Pp][Ee][Ff][Ee][Ii][Tt][Oo]

You could get fancier (like specifying the "dot" chars with "\." before and after, and so forth), but this string seems unique enough to do the job.

Also, make sure you set the AlarmThrottle to "FireAll".

I meant "[Pp][Aa][Rr][Pp][Ee][Rr][Ff][Ee][Ii][Tt][Oo]", obviously.

OK, I tested tonight on an appliance, and the RequestRegex I used that is less likely to cause false positives is:

\x0d\x0a[Hh][Oo][Ss][Tt]: .*[Pp][Aa][Rr][Pp][Ee][Rr][Ff][Ee][Ii][Tt][Oo]\x2e[Cc][Oo][Mm]\x2e[Bb][Rr]\x0d\x0a

HTH

I tested this last suggestion and it didn't work with the engine SERVICE.HTTP.

Please define "didn't work".

The connection was not reset.