[Oisf-users] HTTP domain whitelist?
Peter Manev
petermanev at gmail.com
Thu Jan 23 07:47:11 UTC 2014
On Wed, Jan 22, 2014 at 10:40 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> That did it! Thanks Victor!
>
> On 1/17/2014 12:28 AM, Victor Julien wrote:
>> On 01/16/2014 07:57 PM, Cooper F. Nelson wrote:
>>> I'm having some performance issues with suricata which seem to be
>>> related to a few very high trafficked domains (like AV url
>>> reputation services). I can't whitelist by IP as its served from a
>>> CDN and changes constantly.
>>>
>>> Is there any way to tell suricata to not process urls that match a
>>> certain domain?
>>
>> If you're willing to accept going blind on these domains, you could
>> use 'pass' rules. E.g.:
>>
>> pass http any any -> any any (content:"inliniac.net"; http_host;
>> sid:x; rev:x;)
>>
>> This will bypass the detection engine for the rest of the packets in
>> the matching flow.
>>
>
Wouldn't that be able to transfer in some sort of a feature request ?
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list