Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What are the compiled regex in rintel? #161

Open
ParikhKadam opened this issue Apr 25, 2020 · 1 comment
Open

What are the compiled regex in rintel? #161

ParikhKadam opened this issue Apr 25, 2020 · 1 comment

Comments

@ParikhKadam
Copy link

From my understanding, these regex are used to detect obfuscated URLs. But I neither know much about URL obfuscation nor I am aware of why such URLs will be used in any typical site.

Can you please share some more knowledge about this?

@DaveCrim
Copy link

tl;dr; Prevent accidently clicking malware or other malicious links, but still be able to share threat intelligence. Still be able to post contact info such as links or e-mail addresses while trying to stop them from getting picked up by bots and spammed.

This has become quite common in the threat intelligence community to obfuscate known malicious links / content to prevent someone from accidently clicking on it. Especially as some exploits will execute just by visiting a page and don't require any user interaction. Also have to watch for today's oh so helpful browsers, email clients, etc automatically detect links (even if they aren't actually hyperlinked) and create the link for you. So instead of writing a blog post about http://badwebsite.com/PageWithMalware.html where someone might accidently click that and infect themselves, you write it like hxxp://badwebsite dot com/PageWithMalware[.]html so you can't accidently click on it.
*note used several different "defang" techniques above just to demonstrate.

An older reason, more with e-mails and contact info was to try to prevent bots from scraping the websites and gathering details for spamming. So instead of putting [email protected] on the front page of your website, then getting lots of spam. People began various obfuscations that people could see, but might confuse simple bots such as youremail at yourdomain dot com, or youremail[@]yourdomain(.)com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants