[Oisf-users] HTTP domain whitelist?

Cooper F. Nelson cnelson at ucsd.edu
Wed Jan 22 21:40:20 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That did it!  Thanks Victor!

On 1/17/2014 12:28 AM, Victor Julien wrote:
> On 01/16/2014 07:57 PM, Cooper F. Nelson wrote:
>> I'm having some performance issues with suricata which seem to be 
>> related to a few very high trafficked domains (like AV url
>> reputation services).  I can't whitelist by IP as its served from a
>> CDN and changes constantly.
>>
>> Is there any way to tell suricata to not process urls that match a 
>> certain domain?
> 
> If you're willing to accept going blind on these domains, you could
> use 'pass' rules. E.g.:
> 
> pass http any any -> any any (content:"inliniac.net"; http_host;
> sid:x; rev:x;)
> 
> This will bypass the detection engine for the rest of the packets in
> the matching flow.
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS4DrEAAoJEKIFRYQsa8FWleQIAIUrl58Y12FMAWEwMZIS7Q8f
yrGVpMYoz2N4xDmJKT8BKV8+VfsR3wbfeh6kYfF6xUDq+AQuj7twFtbxh1EUKzes
m38qwpSPcQfJOPQK+nIuLUokC+6fm4xtINA20pkQBBc5Asq1WE0cHPTiiE05zM6w
CoS8Z9XTKV5Q6Gt/t+XBz2Lo0DhYuFXK6eQqRXVcpUKseiavHBpHsvVU2nAfw8Nj
0z7BJGfyyvA+Z/Ly2AHe6fze4WXg05XSn1YgxLyagX9IqSxwsmpuoxHvrbD/5I1N
fwXywQZ0L6l6o15qOAM2ZiPKH3PMX65LMciObokgzVXkvqbC4b4xkWS05omp9Ow=
=vOfY
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list