On Mon, 2018-11-12 at 20:20 -0500, Alex wrote: > Hi, this doesn't look like it should be considered a hex URI. > > Nov 12 20:14:16.376 [15295] dbg: rules: ran uri rule URI_HEX ======> > got hit: "https://api-89c8e17d"; > I didn't get any joy from playing with this one. By assuming that it 89c9e17d is a set of four x two 2 digit hex numbers, converting to decimal and adding the dots, gives 137.200.225.125 which looks like an IP (137.200.225.125) but 'host' says it doesn't resolve: 3(NXDOMAIN)
Similarly 'host' couldn't resolve api-89c8e17d into an IP address, though it is evidently a private subdomain of duosecurity.com. See below. > Nov 12 20:14:16.379 [15295] dbg: rules: ran uri rule > __LOCAL_PP_NONPPURL ======> got hit: > "https://api-89c8e17d.duosecurity.com"; > Looking this up with 'host' got me the IP 54.241.191.167 and a reverse lookup on that resolves it to: ec2-54-241-191-167.us-west-1.compute.amazonaws.com. IOW, its probably a good thing that it SA does think these are hex addresses that can fire URI rules. Martin
