[Oisf-users] Feature Request: IP & DNS Reputation Applied Against HTTP Host Field/HTTP file

[Kevin Ross]

Hi,

I have a though of what might be a useful feature. I was thinking it would
be cool if Suricata could use the HTTP host header or the connections in
the http.log file to apply specified blacklists against it to look for
connections.

i.e

Have IP and domains blacklists specified in a preprocessor and then apply
it such as:

Preprocessor:
reputation:
domains: $RULE_PATH/malwaredrop.txt
ips: $RULE_PATH/botnetcncips.txt
domains: $RULE_PATH/malwarecnc.txt

And then have it detect things like these if it appears in the specified
lists:
Host: malwarecnc.bad
Host. 13.213.123.X

Essentially if it was in a rule format it could be like this:
Specified Variable in config: malwarecncdomains = $RULE_PATH/malwarecnc.txt
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Connection To
Malware CnC Domain"; flow:established,to_server; content:"Host|3A 20|";
http_header; reputation:$malwarecncdomains,relative; http_header;
classtype:trojan-activityl; sid:1323991; rev:1;)

It may even allow in rule format to search for malicious links in websites
if the variables could be applied anywhere to the HTTP traffic. This would
be useful in some environments where the IDS may see traffic from client to
proxy depending on setup.

What are people's thoughts on this?
Thanks,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130106/bdd37908/attachment.html>