[Oisf-users] Large list of domains in Suricata?

Christophe Vandeplas christophe at vandeplas.com
Wed Mar 12 09:23:08 UTC 2014

Hi Mikael,

On Tue, Mar 11, 2014 at 2:22 PM, mikael vingaard
<mikaelvingaard at gmail.com> wrote:
> Hello oisf-users,
> This is my first posting on this list, I have looked in FAQ/Google but can't
> find
> what I am looking for, please point me in the right direction if my question
> are
> already documented somewhere.
> I would like to use a large list of domains (100+) to block/alert in
> Suricata.
> Using a rule with {domain1,domain2,domain3} would be too cumbersome,
> but I has found a method of blocking MD5 sums (source
> http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/)
> -almost similar to what I would like to achieve with domains.

Just write one rule per domain. That's what I do and it seems that the
internal engine of the rules handles it well.
This is with 8000-ish domains.

So don't worry about the 100+ things you're going to add.

> Could someone assist me in writing a similar rule with domains
> Many thanks in advance for any feedback/input.
> Mikael
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list