[Oisf-users] Large list of domains in Suricata?

Kevin Ross kevross33 at googlemail.com
Tue Mar 11 14:46:47 UTC 2014


I am not sure about Suricata but you could try this
https://github.com/gamelinux/passivedns

Using this you get a web interface to query the domain database & it can
generate alert files on blacklists of files for matches, regular
expressions etc. The negative though with it being DNS you will not see if
traffic went there and where so it isn't as granular as in showing you
where the stuff is matching.

A way for doing this is to use BRO-IDS and the intel framework
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html. It has an
odd format but there is a tool which lets you pull down many lists and
using that you can match IPs, domains, MD5s, SSL certs etc. Basically you
can see the IPs being flagged from connection logs, the domain in the HTTP
logs etc.

Then use ELSA https://code.google.com/p/enterprise-log-search-and-archive/or
something like Splunk/SIEM to alert on this data.

Hope that is helpful. Regards,
Kevin


On 11 March 2014 13:22, mikael vingaard <mikaelvingaard at gmail.com> wrote:

> Hello oisf-users,
>
> This is my first posting on this list, I have looked in FAQ/Google but
> can't find
> what I am looking for, please point me in the right direction if my
> question are
> already documented somewhere.
>
> I would like to use a large list of domains (100+) to block/alert in
> Suricata.
>
> Using a rule with {domain1,domain2,domain3} would be too cumbersome,
> but I has found a method of blocking MD5 sums (source
> http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/)
> -almost similar to what I would like to achieve with domains.
>
> Could someone assist me in writing a similar rule with domains
>
> Many thanks in advance for any feedback/input.
>
> Mikael
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140311/1e633570/attachment-0002.html>


More information about the Oisf-users mailing list