[Oisf-users] Large list of domains in Suricata?

Victor Julien lists at inliniac.net
Wed Mar 12 09:26:45 UTC 2014


On 03/12/2014 10:23 AM, Christophe Vandeplas wrote:
> Hi Mikael,
> 
> 
> 
> On Tue, Mar 11, 2014 at 2:22 PM, mikael vingaard
> <mikaelvingaard at gmail.com> wrote:
>> Hello oisf-users,
>>
>> This is my first posting on this list, I have looked in FAQ/Google but can't
>> find
>> what I am looking for, please point me in the right direction if my question
>> are
>> already documented somewhere.
>>
>> I would like to use a large list of domains (100+) to block/alert in
>> Suricata.
>>
>> Using a rule with {domain1,domain2,domain3} would be too cumbersome,
>> but I has found a method of blocking MD5 sums (source
>> http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/)
>> -almost similar to what I would like to achieve with domains.
> 
> Just write one rule per domain. That's what I do and it seems that the
> internal engine of the rules handles it well.
> This is with 8000-ish domains.

Are you using the dns_query keyword for this?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list