[Oisf-users] Large list of domains in Suricata?

Christophe Vandeplas christophe at vandeplas.com
Wed Mar 12 09:33:38 UTC 2014


On Wed, Mar 12, 2014 at 10:26 AM, Victor Julien <lists at inliniac.net> wrote:
> On 03/12/2014 10:23 AM, Christophe Vandeplas wrote:
>> Hi Mikael,
>>
>>
>>
>> On Tue, Mar 11, 2014 at 2:22 PM, mikael vingaard
>> <mikaelvingaard at gmail.com> wrote:
>>> Hello oisf-users,
>>>
>>> This is my first posting on this list, I have looked in FAQ/Google but can't
>>> find
>>> what I am looking for, please point me in the right direction if my question
>>> are
>>> already documented somewhere.
>>>
>>> I would like to use a large list of domains (100+) to block/alert in
>>> Suricata.
>>>
>>> Using a rule with {domain1,domain2,domain3} would be too cumbersome,
>>> but I has found a method of blocking MD5 sums (source
>>> http://blog.inliniac.net/2012/06/09/suricata-md5-blacklisting/)
>>> -almost similar to what I would like to achieve with domains.
>>
>> Just write one rule per domain. That's what I do and it seems that the
>> internal engine of the rules handles it well.
>> This is with 8000-ish domains.
>
> Are you using the dns_query keyword for this?

No, not yet, as I didn't switch yet to suri 2.0. But it's in the
issue-list of MISP : https://github.com/MISP/MISP/issues/187

However I'm also generating rules for web traffic based on the domain/hostname.
That usually contains more contextual info and helps the IDS analyst
to locate the compromised machine faster.


Here's the code that generates the rules. All feedback welcome of
course (cfr a previous mail on this mailinglist where I already
requested feedback)

Grtz


>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



More information about the Oisf-users mailing list