[Oisf-users] Can a single rule handle multiple hostnames?

Josh Larkins jlarkins at malcovery.com
Mon Jun 1 15:10:37 UTC 2015


Thank you all, I do appreciate your suggestions. Apologies for bringing up something that has been discussed previously. I have enjoyed everything I've learned with these questions, thank you all for participating in this list and providing a place to get answers to questions like this. 

Josh


-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
Sent: Saturday, May 30, 2015 12:22 PM
To: Rodgers, Anthony (DTMB); Erich Lerch; Josh Larkins
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can a single rule handle multiple hostnames?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This comes up periodically, so I'll also recommend either using a blackhole DNS or a web proxy.  Squid is free.

You can even run suricata inline on the inside interface of the Squid proxy, using Squid to block layer 3-6 traffic (IPs and hosts) and suricata to drop layer 7 attacks.

- -Coop

On 5/29/2015 12:24 PM, Rodgers, Anthony (DTMB) wrote:
> Or you could use a DNS blackhole - probably vastly more efficient than using an IPS for this...
> 
> --
> Anthony Rodgers
> Security Analyst
> Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber 
> Security
> 
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org 
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
> Of Erich Lerch
> Sent: Friday, May 29, 2015 15:21
> To: Josh Larkins
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Can a single rule handle multiple hostnames?
> 
> Josh
> I guess you could achieve that with a PCRE-rule... theoretically. But it's probably MUCH more efficient to write one rule per hostname. A different thing is when you have IP addresses.
> 
> erich
> 
> 
> 2015-05-29 19:33 GMT+02:00 Josh Larkins <jlarkins at malcovery.com>:
>> I have a set of hostnames I’d like to prevent communication with. Can 
>> I author a rule that will include all of them in the same rule? I’ve 
>> been scouring all the Suricata documentation and looked through the 
>> open source ET rules and I’m not seeing any examples of how to accomplish this.
>>
>>
>>
>> Josh
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: 
>> http://suricata-ids.org/support/
>> List: 
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona: 
>> http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: 
> http://oisfevents.net _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: 
> http://oisfevents.net
> 


- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVaeOnAAoJEKIFRYQsa8FWtXoIALNkDS01pLvqCovQ7j+ca5pb
CV2DfBA4+QjKH7iiGP/7m1PRfAkij2bhanjReyNbr0uciUHZD+SYCZ/gdksAurtu
MBvnf+gIrUHydTCz3dLNQfTQl199TOb05xI57IMRb4FORYyvQLUI2VlD1BNXqj8Q
HS7Oiky+mmo9cnhuY0EDDdbdP7adLyv1bUZc+RhtzN11dTspEnhdOmjRbuDodeE9
h1xKYyX5Ia2B8syhR8coNMTjyEkdymfuF3EijryR3fEIdiBgiyRi8yf6fiEYxIVP
m2TvfK8JwFKb9a76P1BlguQDMkcFDqpWbHzqiW4hyXBwl/pfhQrQTtv9GkgWEFQ=
=EB6v
-----END PGP SIGNATURE-----


More information about the Oisf-users mailing list