[Oisf-users] HTTP domain whitelist?
Victor Julien
lists at inliniac.net
Fri Jan 17 08:28:55 UTC 2014
On 01/16/2014 07:57 PM, Cooper F. Nelson wrote:
> I'm having some performance issues with suricata which seem to be
> related to a few very high trafficked domains (like AV url
> reputation services). I can't whitelist by IP as its served from a
> CDN and changes constantly.
>
> Is there any way to tell suricata to not process urls that match a
> certain domain?
If you're willing to accept going blind on these domains, you could
use 'pass' rules. E.g.:
pass http any any -> any any (content:"inliniac.net"; http_host;
sid:x; rev:x;)
This will bypass the detection engine for the rest of the packets in
the matching flow.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list