[Oisf-users] Large list of domains in Suricata?

Victor Julien lists at inliniac.net
Wed Mar 12 09:26:45 UTC 2014

On 03/12/2014 10:23 AM, Christophe Vandeplas wrote:
> Hi Mikael,
> On Tue, Mar 11, 2014 at 2:22 PM, mikael vingaard
> <mikaelvingaard at gmail.com> wrote:
>> Hello oisf-users,
>> This is my first posting on this list, I have looked in FAQ/Google but can't
>> find
>> what I am looking for, please point me in the right direction if my question
>> are
>> already documented somewhere.
>> I would like to use a large list of domains (100+) to block/alert in
>> Suricata.
>> Using a rule with {domain1,domain2,domain3} would be too cumbersome,
>> but I has found a method of blocking MD5 sums (source
>> http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/)
>> -almost similar to what I would like to achieve with domains.
> Just write one rule per domain. That's what I do and it seems that the
> internal engine of the rules handles it well.
> This is with 8000-ish domains.

Are you using the dns_query keyword for this?

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list