[Oisf-users] HTTP domain whitelist?

Peter Manev petermanev at gmail.com
Sun Jan 26 12:34:24 UTC 2014

On Thu, Jan 23, 2014 at 7:23 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> On 1/22/2014 11:47 PM, Peter Manev wrote:
>> Wouldn't that be able to transfer in some sort of a feature request ?
> The pass rules meet our requirements precisely.  For the record, I much
> prefer the suricata model of building functionality into the core of the
> engine that can be manipulated by a robust language, vs. tacking on
> endless static features (like some other IDS products).

I like that too.  I am also fond of the idea to be able to use a BPF
like filter for domains at the start line as well.

> Anyways, it turns out that another culprit in our performance issues
> over the past few weeks were a few bad IPs SYN flooding us.  Which, btw,
> I'll note that suricata+ETPro didn't detect.

Maybe the ETPro mail list would be able to offer some help, if you let
them know about your troubles?

> So, if I had a feature request, it would be for more "behavioral" sigs
> to detect old-school DOS/flood attacks.
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> T+dWua7S3RkA8XMg16ROnoRpmnPlqd1v4Wxm0B8FLLCRcPvud4GHg/VCaD2GGj8T
> VXnZDi0qiOJzYZEzAVh9PttTbxusUyIAvAzh3xbReNwGMlo4+irxdB/Q8Gp9mSmD
> K4kZNRCzUEAvOAZl4ArRfnpV0boci0dlnEEX7ZiRGajYX7cQJ5vuxl2QMr/4uFB8
> DsdF4J0YO6pTGTt6MR/+wpM1xb68G+V/OT6XH+KnLtUGiVcjiMpKV9ct/j02aDb+
> 2R56MrJvENU7rZgnab0s1aqPz7y/+JKwgFwVlmT1zLYlZBe8kv6Orph7kc8C18s=
> =DRf2

Peter Manev

More information about the Oisf-users mailing list