Trying to determine the proper regex format/strcuture that SSIM uses. I have used regex in the past with much success in other applications and event filters.
However, the SSIM rules seems to have a different allowable regex format. Example below.
Came across a malware streams with a specific format.
http://melikeiletisim[.]net/YFHHTRVWJR.php?info=755_296194096
where the .php?info= and the _ are all in the same place with random letters and number within the URL.
A quick and dirty Regex to match this is the following.
\/\w\w\w\w\w\w\w\w\w\w.php\?info=\d\d\d_\d\d\d\d\d\d\d\d\d
The SSIM rules match is not catching any of the URLs with the pattern. I tried incrementally adding the pieces and get to the special characters ? = and _ with varying degrees of success using \ and \\ prior to the ? but not the other characters.