[Oisf-users] HTTP domain whitelist?

Victor Julien lists at inliniac.net
Fri Jan 17 08:28:55 UTC 2014

On 01/16/2014 07:57 PM, Cooper F. Nelson wrote:
> I'm having some performance issues with suricata which seem to be 
> related to a few very high trafficked domains (like AV url
> reputation services).  I can't whitelist by IP as its served from a
> CDN and changes constantly.
> Is there any way to tell suricata to not process urls that match a 
> certain domain?

If you're willing to accept going blind on these domains, you could
use 'pass' rules. E.g.:

pass http any any -> any any (content:"inliniac.net"; http_host;
sid:x; rev:x;)

This will bypass the detection engine for the rest of the packets in
the matching flow.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list