<div dir="ltr">Domain rep doesn't exist yet, but it's in the works. Emerging Threats is sponsoring some work directly with Victor to get this coded up. We are as anxious to see this as well!<div><br></div><div>He's going down the road of building some kind of short term tracking of the IP responses from dns queries that can then be referred to by reputation directives in a rule either by IP or dns name. </div>
<div><br></div><div>Shouldn't be long till there is beta code, but it's not a easy an undertaking as it sounds I think. Victor may have a few comments here. </div><div><br></div><div>Matt<br><div class="gmail_extra">
<br><br><div class="gmail_quote">On Sun, Jan 6, 2013 at 1:14 PM, Matt <span dir="ltr"><<a href="mailto:matt@somedamn.com" target="_blank">matt@somedamn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Does DNS reputation exist even for DNS
packets today? IP Reputation just came out in 1.4. I'd love to
see a similar feature for hostnames, as those are actually more
useful to me than IP addresses. The vast majority of trojan
command & control servers use hostnames rather than IP
addresses. It would be great if the reputation rules could be
applied to http Host headers as well, since most of the C&C's
are HTTP-based.<br>
<br>
<pre cols="72">Matt</pre><div><div class="h5">
On 1/5/2013 10:25 PM, Kevin Ross wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">Hi,<br>
<br>
I have a though of what might be a useful feature. I was thinking
it would be cool if Suricata could use the HTTP host header or the
connections in the http.log file to apply specified blacklists
against it to look for connections.<br>
<br>
i.e <br>
<br>
Have IP and domains blacklists specified in a preprocessor and
then apply it such as:<br>
<br>
Preprocessor:<br>
reputation:<br>
domains: $RULE_PATH/malwaredrop.txt<br>
ips: $RULE_PATH/botnetcncips.txt<br>
domains: $RULE_PATH/malwarecnc.txt<br>
<br>
And then have it detect things like these if it appears in the
specified lists:<br>
Host: malwarecnc.bad<br>
Host. 13.213.123.X<br>
<br>
Essentially if it was in a rule format it could be like this:<br>
Specified Variable in config: malwarecncdomains =
$RULE_PATH/malwarecnc.txt<br>
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP
Connection To Malware CnC Domain"; flow:established,to_server;
content:"Host|3A 20|"; http_header;
reputation:$malwarecncdomains,relative; http_header;
classtype:trojan-activityl; sid:1323991; rev:1;)<br>
<br>
It may even allow in rule format to search for malicious links in
websites if the variables could be applied anywhere to the HTTP
traffic. This would be useful in some environments where the IDS
may see traffic from client to proxy depending on setup. <br>
<br>
What are people's thoughts on this?<br>
Thanks,<br>
Kevin Ross<br>
<br>
<br>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a></pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><br><br>----------------------------------------------------<br>
Matt Jonkman<br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>Phone 866-504-2523 x110<br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------
</div></div></div>