Once you have identified and investigated a potential typosquatted domain and found
that it is legitimate, you can stop future alerts by using a domain whitelist
enrichment.
-
Display the Management module UI.
-
Select the Squid sensor from the list of sensors on the main window.
-
Click the pencil icon in the list of tool icons
for the Squid sensor.
-
Click Advanced.
-
Click (expand window button) next to the RAW
JSON field.
-
Replace the
is_potential_typosquat
information with the
following:
"is_potential_typosquat := not (ENRICHMENT_EXISTS('domain_whitelist', domain_without_tld, 'enrichment', 't')) && BLOOM_EXISTS(OBJECT_GET('/tmp/reference/alexa10k_filter.ser'), domain_without_tld)",
-
Click SAVE below the JSON panel.
-
Click SAVE at the bottom of the Squid sensor configuration
panel.
-
Open
cnn.com
or npr.com
in the browser connected
to the HCP proxy.
-
Open the Alerts UI.
-
Click on the timestamp column header until the events are
sorted descending by timestamp.
Proxy events to cnn.com
and npr.org
are no
longer alerts.