From 98471bc53c19081ae240711f0ffe9a0442b88fc0 Mon Sep 17 00:00:00 2001 From: Kevin Dienst Date: Mon, 3 Feb 2020 07:29:42 -0600 Subject: [PATCH] Update proxy_raw_paste_service_access.yml Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw` Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI. --- rules/proxy/proxy_raw_paste_service_access.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_raw_paste_service_access.yml b/rules/proxy/proxy_raw_paste_service_access.yml index d5d21d3be..a752099c3 100644 --- a/rules/proxy/proxy_raw_paste_service_access.yml +++ b/rules/proxy/proxy_raw_paste_service_access.yml @@ -17,6 +17,7 @@ detection: - '.paste.ee/r/' - '.pastebin.com/raw/' - '.hastebin.com/raw/' + - '.ghostbin.co/paste/.+/raw/' condition: selection fields: - ClientIP