[Oisf-users] How do I match a URL with a Suricata rule?

Cooper F. Nelson cnelson at ucsd.edu
Wed Dec 16 17:51:29 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Btw, I forgot to mention that the way I do this is to use a squid proxy
and just block the domains, IPs and urls via the squid ACL mechanism.

On 12/14/2015 3:50 AM, Marius wrote:
> * I don't think that a awk -F " " {'print $2$4'}  http.log | grep -f
> bad_urls.txt is a good alerting workflow, because I want this to be
> handled by an IDS engine. Sure you can pipe matches into syslog and
> configure an event trigger, but this is an additional process. It needs
> to be reliable and report matches in real time and so on. Suri's Lua
> scripting should cover this in a better way.
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWcaShAAoJEKIFRYQsa8FWgkMH/RNNMIji/BBh8nAzYgUUuf38
OrAjRncxgxXx0V4p2bsgWnCSxUavduTTU0JQG47evs65Vmhpy8AiPk1lxQYtAycM
cvtEHv9kRzgrTSggA1H1QkkupdIcNAzFRPZDAEBlWEFGcKygpErckrYy3UGOWYn0
mao8v7fvDewl1W5om5O8CDCvzsXMr6NGhr4YXeA9U9xVwifcPsqMW/A3RhD0/v77
z4WyFBy0V/fYqcg4AwVwanqJv8XdVnVCGg0MfoRvCBrviY1sb9s7LSdbTWWsA5VE
jJF+33alb9YQup/iLwCn663Wap5yaRVor3eQqW1xfzJsmmX/ch2w3j/l/JHUytI=
=w1bt
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list