Well, I THOUGHT it was all working, but still having issues. I believe the answer is in using the HEX Strings, but the format is giving me fits! As long as the Pattern Matching hits for the ENTIRE DNS Request, it seems to work, (I put in --- .*\x 69 73 63 03 6f 72 67 \x ---) for "isc.org", which is EXACTLY 7 bytes, and it is now blocking these requests (Another DDOS URL).) So, I am trying to set up a Pattern Matching for a PORTION of a string inside a DNS request, but the rule fails to match the traffic. (per packet captures). Obfuscated, but if I put in patterns to match these: it.really.is.nt 69 74 02 72 65 61 6c 6c 79 02 69 73 02 6e 74 IT.REALLY.IS.NT 49 54 02 52 45 41 4c 4c 59 02 49 53 02 4e 54 I get matching hits on DNS requests that include ONLY that exact string, anything that prepends or appends to this does NOT hit this rule. (ie: www.it.really.is.nt, or MX1.it.really.is.nt) A couple of options I have tried (only showing the lower-case attempts, but had the upper-case also, under two Custom Applications, and two Security Rules): \x 69 74 02 72 65 61 6c 6c 79 02 69 73 02 6e 74 \x .*\x 69 74 02 72 65 61 6c 6c 79 02 69 73 02 6e 74 \x .*(\x 69 74 02 72 65 61 6c 6c 79 02 69 73 02 6e 74 \x) .*( \x 69 74 02 72 65 61 6c 6c 79 02 69 73 02 6e 74 \x ) I also tried to shorten this to just the "really.is" portion, upper and lowercase, with the same type of results (exact string match, any "extra" characters in the DNS request do not hit the rule). After I clear out my two other open Tech support cases, I am going to open a case for this issue. I am getting WAY too frustrated waiting for the 10-minute "commit" 20-30 times per day! EDIT: Another question: WHAT are valid HEX strings for a "period"? I have seen 02, 03, and 06 in my captures, Message was edited by: Russel Smith
... View more