From b140ebc943705dd2e47bcbc4899c0e230c467a16 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 24 Jan 2025 02:59:20 +0000
Subject: [PATCH] Sync from PR#2327

Create open_redirect_smartadserver.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2327
Source SHA 8fd0cc3d9c2682a39e28543869e18a6aa795210b
Triggered by @zoomequipd
---
 detection-rules/open_redirect_smartadserver.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/open_redirect_smartadserver.yml b/detection-rules/open_redirect_smartadserver.yml
index 16486df5c9a..07d1b713e6d 100644
--- a/detection-rules/open_redirect_smartadserver.yml
+++ b/detection-rules/open_redirect_smartadserver.yml
@@ -9,7 +9,7 @@ source: |
       .href_url.domain.root_domain == "smartadserver.com"
       and strings.icontains(.href_url.query_params, 'go=')
       and not strings.icontains(.href_url.query_params,
-                                'go=https?(?:%3a|:)(?:%2f|\/){2}(?:[^\/]+)?smartadserver.com\/'
+                                'go=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*smartadserver\.com(?:\&|\/|$)'
       )
   )
   // remove uses that originate from smartadserver.com
@@ -32,4 +32,4 @@ detection_methods:
   - "URL analysis"
 id: "27e5a585-891d-549d-af34-e2b8dff6d64e"
 testing_pr: 2327
-testing_sha: 96521975583335deba00080137e1a05e44262e9f
+testing_sha: 8fd0cc3d9c2682a39e28543869e18a6aa795210b