[Oisf-users] Can a single rule handle multiple hostnames?
Josh Larkins
jlarkins at malcovery.com
Mon Jun 1 15:10:37 UTC 2015
Thank you all, I do appreciate your suggestions. Apologies for bringing up something that has been discussed previously. I have enjoyed everything I've learned with these questions, thank you all for participating in this list and providing a place to get answers to questions like this.
Josh
-----Original Message-----
From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
Sent: Saturday, May 30, 2015 12:22 PM
To: Rodgers, Anthony (DTMB); Erich Lerch; Josh Larkins
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can a single rule handle multiple hostnames?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This comes up periodically, so I'll also recommend either using a blackhole DNS or a web proxy. Squid is free.
You can even run suricata inline on the inside interface of the Squid proxy, using Squid to block layer 3-6 traffic (IPs and hosts) and suricata to drop layer 7 attacks.
- -Coop
On 5/29/2015 12:24 PM, Rodgers, Anthony (DTMB) wrote:
> Or you could use a DNS blackhole - probably vastly more efficient than using an IPS for this...
>
> --
> Anthony Rodgers
> Security Analyst
> Michigan Security Operations Center (MiSOC) DTMB, Michigan Cyber
> Security
>
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf
> Of Erich Lerch
> Sent: Friday, May 29, 2015 15:21
> To: Josh Larkins
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Can a single rule handle multiple hostnames?
>
> Josh
> I guess you could achieve that with a PCRE-rule... theoretically. But it's probably MUCH more efficient to write one rule per hostname. A different thing is when you have IP addresses.
>
> erich
>
>
> 2015-05-29 19:33 GMT+02:00 Josh Larkins <jlarkins at malcovery.com>:
>> I have a set of hostnames I’d like to prevent communication with. Can
>> I author a rule that will include all of them in the same rule? I’ve
>> been scouring all the Suricata documentation and looked through the
>> open source ET rules and I’m not seeing any examples of how to accomplish this.
>>
>>
>>
>> Josh
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVaeOnAAoJEKIFRYQsa8FWtXoIALNkDS01pLvqCovQ7j+ca5pb
CV2DfBA4+QjKH7iiGP/7m1PRfAkij2bhanjReyNbr0uciUHZD+SYCZ/gdksAurtu
MBvnf+gIrUHydTCz3dLNQfTQl199TOb05xI57IMRb4FORYyvQLUI2VlD1BNXqj8Q
HS7Oiky+mmo9cnhuY0EDDdbdP7adLyv1bUZc+RhtzN11dTspEnhdOmjRbuDodeE9
h1xKYyX5Ia2B8syhR8coNMTjyEkdymfuF3EijryR3fEIdiBgiyRi8yf6fiEYxIVP
m2TvfK8JwFKb9a76P1BlguQDMkcFDqpWbHzqiW4hyXBwl/pfhQrQTtv9GkgWEFQ=
=EB6v
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list