[Oisf-users] Supressing rules by http host name, best method?

Victor Julien lists at inliniac.net
Fri Dec 5 13:49:01 UTC 2014


On 12/05/2014 02:37 PM, Jay M. wrote:
> I hope this is the correct place to ask this. I'm trying to suppress a
> rule I created by http host name. I prefer to use IPs however this
> particular host name uses several dynamic IPs in Akamai cloud, so
> supressing an ever growing list of IPs on that network is not
> something I want to do.
> 
> I don't see any options for track by hostname in the threshold.conf
> documentation, so I assume (please correct me if I'm mistaken) that
> this is not an option? My next thought was to do a pcre rule, however
> I'm open to other suggestions if they exist.

If you're okay with ignoring/suppressing all rules for that host, you
could use a pass rule:

pass http any any -> any any(content:"yourhostnametoignore"; http_host;
sid:12345;)

See also:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list