Hi,<br><br>I have a though of what might be a useful feature. I was thinking it would be cool if Suricata could use the HTTP host header or the connections in the http.log file to apply specified blacklists against it to look for connections.<br>
<br>i.e <br><br>Have IP and domains blacklists specified in a preprocessor and then apply it such as:<br><br>Preprocessor:<br>reputation:<br>domains: $RULE_PATH/malwaredrop.txt<br>ips: $RULE_PATH/botnetcncips.txt<br>domains: $RULE_PATH/malwarecnc.txt<br>
<br>And then have it detect things like these if it appears in the specified lists:<br>Host: malwarecnc.bad<br>Host. 13.213.123.X<br><br>Essentially if it was in a rule format it could be like this:<br>Specified Variable in config: malwarecncdomains = $RULE_PATH/malwarecnc.txt<br>
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Connection To Malware CnC Domain"; flow:established,to_server; content:"Host|3A 20|"; http_header; reputation:$malwarecncdomains,relative; http_header; classtype:trojan-activityl; sid:1323991; rev:1;)<br>
<br>It may even allow in rule format to search for malicious links in websites if the variables could be applied anywhere to the HTTP traffic. This would be useful in some environments where the IDS may see traffic from client to proxy depending on setup. <br>
<br>What are people's thoughts on this?<br>Thanks,<br>Kevin Ross<br><br><br>