Re: Ironport Wildcard regular expression for all TLD possibilities

Naterade · ‎09-23-2021

On my IronPort WSA, I would like to block, via regex, any possible TLD for a given domain (apparently around 1400).

A recent sample reason / example why: autodisover.*** (ref: https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-autodiscover-bugs-leak-100k-windows-credentials/ )

Two questions here:

1) I would imagine that the following would be the regex expression for it, but I haven't found any articles on this, and want to double check. Is this how?: autodiscover\..*/
Yes?
2) In addition, I would also like to block any possible subdomains. It would appear from Cisco's regex man page that wildcard beginnings are not possible. Am I correct in this understanding?

If #2 is true, then #1 is defeatable and futile, and I should just enter everything twice (once for the parent domain [domain.***], and one for the subdomain[ .domain.***] ) into the "sites" field, not the 'Regular Expressions" field, yes?

Ken Stieers · ‎09-23-2021

I've been trying this, but I think I ran into a bug in the regex engine.
(?i)(://autodiscover\.\w{2,15}/)
This should match tld's that are from 2 to 15 characters long. (pulled the list from the article, longest one is 15 chars)
It keeps telling me that the period is unescaped (it's NOT...)

fw_mon · ‎10-19-2021

Hello @Naterade

if possible avoid any regex as they slow down WSA and can produce unexpected results (false positives and false negatives).

If you want to block any subdomain of a particular web site just use .example.com pattern (note a dot in front of example.com) in a block list.

For example you need to access www.example.com but block any other subdomain of example.com, then create a custom url category that processed before a block custom url category and put ".example.com" in the block list and "www.example.com" in the allow list.