Triage Squid Alerts Using Typosquatting Algorithm
Also available as:
PDF

Improve Scoring with a Domain Whitelist

Once you have identified and investigated a potential typosquatted domain and found that it is legitimate, you can stop future alerts by using a domain whitelist enrichment.

  1. Display the Management module UI.
  2. Select the Squid sensor from the list of sensors on the main window.
  3. Click the pencil icon in the list of tool icons for the Squid sensor.
  4. Click Advanced.
  5. Click (expand window button) next to the RAW JSON field.
  6. Replace the is_potential_typosquat information with the following:
    "is_potential_typosquat := not (ENRICHMENT_EXISTS('domain_whitelist', domain_without_tld, 'enrichment', 't')) && BLOOM_EXISTS(OBJECT_GET('/tmp/reference/alexa10k_filter.ser'), domain_without_tld)",
    
  7. Click SAVE below the JSON panel.
  8. Click SAVE at the bottom of the Squid sensor configuration panel.
  9. Open cnn.com or npr.com in the browser connected to the HCP proxy.
  10. Open the Alerts UI.
  11. Click on the timestamp column header until the events are sorted descending by timestamp.
    Proxy events to cnn.com and npr.org are no longer alerts.