Community discussions

MikroTik App
 
joelmolina
just joined
Topic Author
Posts: 17
Joined: Tue Aug 06, 2019 5:36 pm

L7 RegExp for ".ru" ends domains http

Tue Nov 26, 2019 10:54 pm

Hi friends, I am looking for a syntax in Layer 7 to block all pages that end with .ru , can someone please help me?

Thanks in advance.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L7 RegExp for ".ru" ends domains http

Tue Nov 26, 2019 11:54 pm

It's a wrong approach. The right approach is to sanitize the systems infected with the malware. Are you sure the malware only uses http to connect? It may be https, it may be something else...

So I'd define a layer7 rule
/ip firewall layer7-protocol
add name=gamarue regexp="\\x02[rR][uU]...\?.\?\$"

and add an action=add-src-to-address-list address-list=gamarue-hosts layer7-protocol=gamarue dst-port=53 to both chain=input and chain=forward of /ip firewall filter, once with protocol=tcp and once with protocol=udp (so four rules in total). And then you may block all traffic based on src-address-list=gamarue-hosts, but much more important is to identify the infected clients (reading the contents of the address-list as it gradually builds up) and talk to them.

Just bear in mind that you may have some false positives depending on who your clients are.

Who is online

Users browsing this forum: Google [Bot], holvoetn, karlisi, netmas and 97 guests