[Oisf-users] Question about drop http requests
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Sep 26 03:00:52 UTC 2013
On Thu, Sep 26, 2013 at 12:29 AM, carlopmart <carlopmart at gmail.com> wrote:
>
>
> On 25/09/13 17:23, Anoop Saldanha wrote:
>> On Tue, Sep 24, 2013 at 10:26 PM, carlopmart <carlopmart at gmail.com> wrote:
>>> Hi all,
>>>
>>> Is it possible to configure suricata to drop all http connections that
>>> they doesn't appears in a config file??
>>>
>>> For example, I would like to drop all http connections initiated by
>>> server 1.1.1.1 but except for some domains like:
>>>
>>> .google.com
>>> .yahoo.com ...
>>
>> drop http 1.1.1.1 any -> any any (content:!".google.com"; http_host;
>> content:!".yahoo.com"; http_host; sid:1;)
>
> Good!!! Thanks Anoop ... But it is not possible to do something like this:
>
> drop http 1.1.1.1 any -> any any (content:!"/path/to/myconfigfile.txt";
> http_host; sid:1;)??
>
> /path/to/myconfigfile.txt with the following content:
>
> .google.com
> .yahoo.com
> ....
Nope.
You can write a script instead to convert your config file into a
.rules file for suricata?
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list