[Oisf-users] Feature Request: IP & DNS Reputation Applied Against HTTP Host Field/HTTP file

Matt matt at somedamn.com
Sun Jan 6 18:14:14 UTC 2013 

Does DNS reputation exist even for DNS packets today?  IP Reputation 
just came out in 1.4.  I'd love to see a similar feature for hostnames, 
as those are actually more useful to me than IP addresses.  The vast 
majority of trojan command & control servers use hostnames rather than 
IP addresses.  It would be great if the reputation rules could be 
applied to http Host headers as well, since most of the C&C's are 
HTTP-based.

Matt

On 1/5/2013 10:25 PM, Kevin Ross wrote:
> Hi,
>
> I have a though of what might be a useful feature. I was thinking it 
> would be cool if Suricata could use the HTTP host header or the 
> connections in the http.log file to apply specified blacklists against 
> it to look for connections.
>
> i.e
>
> Have IP and domains blacklists specified in a preprocessor and then 
> apply it such as:
>
> Preprocessor:
> reputation:
> domains: $RULE_PATH/malwaredrop.txt
> ips: $RULE_PATH/botnetcncips.txt
> domains: $RULE_PATH/malwarecnc.txt
>
> And then have it detect things like these if it appears in the 
> specified lists:
> Host: malwarecnc.bad
> Host. 13.213.123.X
>
> Essentially if it was in a rule format it could be like this:
> Specified Variable in config: malwarecncdomains = 
> $RULE_PATH/malwarecnc.txt
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Connection To 
> Malware CnC Domain"; flow:established,to_server; content:"Host|3A 
> 20|"; http_header; reputation:$malwarecncdomains,relative; 
> http_header; classtype:trojan-activityl; sid:1323991; rev:1;)
>
> It may even allow in rule format to search for malicious links in 
> websites if the variables could be applied anywhere to the HTTP 
> traffic. This would be useful in some environments where the IDS may 
> see traffic from client to proxy depending on setup.
>
> What are people's thoughts on this?
> Thanks,
> Kevin Ross
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130106/a002d8c6/attachment-0002.html>

More information about the Oisf-users mailing list