[Oisf-users] Feature Request: IP & DNS Reputation Applied Against HTTP Host Field/HTTP file
Matt Jonkman
jonkman at jonkmans.com
Mon Jan 7 13:46:23 UTC 2013
Domain rep doesn't exist yet, but it's in the works. Emerging Threats is
sponsoring some work directly with Victor to get this coded up. We are as
anxious to see this as well!
He's going down the road of building some kind of short term tracking of
the IP responses from dns queries that can then be referred to by
reputation directives in a rule either by IP or dns name.
Shouldn't be long till there is beta code, but it's not a easy an
undertaking as it sounds I think. Victor may have a few comments here.
Matt
On Sun, Jan 6, 2013 at 1:14 PM, Matt <matt at somedamn.com> wrote:
> Does DNS reputation exist even for DNS packets today? IP Reputation
> just came out in 1.4. I'd love to see a similar feature for hostnames, as
> those are actually more useful to me than IP addresses. The vast majority
> of trojan command & control servers use hostnames rather than IP
> addresses. It would be great if the reputation rules could be applied to
> http Host headers as well, since most of the C&C's are HTTP-based.
>
> Matt
>
> On 1/5/2013 10:25 PM, Kevin Ross wrote:
>
> Hi,
>
> I have a though of what might be a useful feature. I was thinking it would
> be cool if Suricata could use the HTTP host header or the connections in
> the http.log file to apply specified blacklists against it to look for
> connections.
>
> i.e
>
> Have IP and domains blacklists specified in a preprocessor and then apply
> it such as:
>
> Preprocessor:
> reputation:
> domains: $RULE_PATH/malwaredrop.txt
> ips: $RULE_PATH/botnetcncips.txt
> domains: $RULE_PATH/malwarecnc.txt
>
> And then have it detect things like these if it appears in the specified
> lists:
> Host: malwarecnc.bad
> Host. 13.213.123.X
>
> Essentially if it was in a rule format it could be like this:
> Specified Variable in config: malwarecncdomains = $RULE_PATH/malwarecnc.txt
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Connection To
> Malware CnC Domain"; flow:established,to_server; content:"Host|3A 20|";
> http_header; reputation:$malwarecncdomains,relative; http_header;
> classtype:trojan-activityl; sid:1323991; rev:1;)
>
> It may even allow in rule format to search for malicious links in websites
> if the variables could be applied anywhere to the HTTP traffic. This would
> be useful in some environments where the IDS may see traffic from client to
> proxy depending on setup.
>
> What are people's thoughts on this?
> Thanks,
> Kevin Ross
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130107/1e5c2960/attachment-0002.html>
More information about the Oisf-users
mailing list