[Oisf-users] Supressing rules by http host name, best method?

Jay M. jskier at gmail.com
Fri Dec 5 14:57:55 UTC 2014


Neat, thanks, I missed that in the docs. I should be able to tune it
down even further than this by throwing in more content values, but
I'll start here for testing (slightly obfuscated):

pass http proxyip any -> $EXTERNAL_NET 80 (msg:"Pass ocsp Verisgn
traffic"; content:"ocsp.verisign.com"; http_host; sid:#;)
--
Jay
jskier at gmail.com


On Fri, Dec 5, 2014 at 7:49 AM, Victor Julien <lists at inliniac.net> wrote:
> On 12/05/2014 02:37 PM, Jay M. wrote:
>> I hope this is the correct place to ask this. I'm trying to suppress a
>> rule I created by http host name. I prefer to use IPs however this
>> particular host name uses several dynamic IPs in Akamai cloud, so
>> supressing an ever growing list of IPs on that network is not
>> something I want to do.
>>
>> I don't see any options for track by hostname in the threshold.conf
>> documentation, so I assume (please correct me if I'm mistaken) that
>> this is not an option? My next thought was to do a pcre rule, however
>> I'm open to other suggestions if they exist.
>
> If you're okay with ignoring/suppressing all rules for that host, you
> could use a pass rule:
>
> pass http any any -> any any(content:"yourhostnametoignore"; http_host;
> sid:12345;)
>
> See also:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



More information about the Oisf-users mailing list