[Oisf-users] HTTP domain whitelist?

Peter Manev petermanev at gmail.com
Thu Jan 23 07:47:11 UTC 2014

On Wed, Jan 22, 2014 at 10:40 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> That did it!  Thanks Victor!
> On 1/17/2014 12:28 AM, Victor Julien wrote:
>> On 01/16/2014 07:57 PM, Cooper F. Nelson wrote:
>>> I'm having some performance issues with suricata which seem to be
>>> related to a few very high trafficked domains (like AV url
>>> reputation services).  I can't whitelist by IP as its served from a
>>> CDN and changes constantly.
>>> Is there any way to tell suricata to not process urls that match a
>>> certain domain?
>> If you're willing to accept going blind on these domains, you could
>> use 'pass' rules. E.g.:
>> pass http any any -> any any (content:"inliniac.net"; http_host;
>> sid:x; rev:x;)
>> This will bypass the detection engine for the rest of the packets in
>> the matching flow.

Wouldn't that be able to transfer in some sort of a feature request ?

Peter Manev

More information about the Oisf-users mailing list