[Oisf-users] Hostbits?
Rich Rumble
richrumble at gmail.com
Thu Feb 7 14:02:34 UTC 2013
On Thu, Feb 7, 2013 at 6:07 AM, Victor Julien <lists at inliniac.net> wrote:
> Hostbits do not exist yet, although it shouldn't be hard to add them.
> Think you can probably at least partially address it with thresholds,
> although it depends on how varied the flood hostnames are I guess.
>
> Something like:
> content:"|06|time-"; content:"|07|netgear|03|com";
> pcre:/\x06time\-[a-z]\x07netgear\x03com/"; threshold: ...
>
Does or will Suricata do any host profiling using p0f or Prads types?
Maybe looking for hosts claiming to be one thing but seeming to be
another?
https://github.com/gamelinux/prads
http://lcamtuf.coredump.cx/p0f3/
-rich
More information about the Oisf-users
mailing list