[Oisf-users] Can a single rule handle multiple hostnames?
Rodgers, Anthony (DTMB)
RodgersA1 at michigan.gov
Fri May 29 19:24:26 UTC 2015
Or you could use a DNS blackhole - probably vastly more efficient than using an IPS for this...
--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security
-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Erich Lerch
Sent: Friday, May 29, 2015 15:21
To: Josh Larkins
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Can a single rule handle multiple hostnames?
Josh
I guess you could achieve that with a PCRE-rule... theoretically. But it's probably MUCH more efficient to write one rule per hostname. A different thing is when you have IP addresses.
erich
2015-05-29 19:33 GMT+02:00 Josh Larkins <jlarkins at malcovery.com>:
> I have a set of hostnames I’d like to prevent communication with. Can
> I author a rule that will include all of them in the same rule? I’ve
> been scouring all the Suricata documentation and looked through the
> open source ET rules and I’m not seeing any examples of how to accomplish this.
>
>
>
> Josh
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list