[Oisf-users] Can a single rule handle multiple hostnames?

Cooper F. Nelson cnelson at ucsd.edu
Fri May 29 21:15:43 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Best practice is to use multiple rules over PCRE whenever possible for
performance reasons.

On 5/29/2015 12:21 PM, Erich Lerch wrote:
> Josh
> I guess you could achieve that with a PCRE-rule... theoretically. But
> it's probably MUCH more efficient to write one rule per hostname. A
> different thing is when you have IP addresses.
> 
> erich
> 
> 
> 2015-05-29 19:33 GMT+02:00 Josh Larkins <jlarkins at malcovery.com>:
>> > I have a set of hostnames I’d like to prevent communication with. Can I
>> > author a rule that will include all of them in the same rule? I’ve been
>> > scouring all the Suricata documentation and looked through the open source
>> > ET rules and I’m not seeing any examples of how to accomplish this.
>> >
>> >
>> >
>> > Josh
>> >


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVaNb/AAoJEKIFRYQsa8FWEfMIALYeQhgrmY9/5lpX1M1gxKGe
efmTiBi6nvcD/bOlA4VxEWmNkV+/bD17j/sMtNMZSjmEqOfHAVUckXqYzPEr2Ns0
I/y5mB49b5KNHLJSySOyuf+Ym99tEAYKRSG5jJ/mgdfPfUkf/gGVQBsOLqVSUF5s
aUi2u8BhaSCpo63+By9dGS/iohb9tNLC0g2loAwLZIjsoZpZWUGeLJgkau0h4lgm
yYlqCGNDshKsuy70cRNjjDn/v+rqoBJtscPDq1JQc2eoWFmsdiSWc6K22cqYbjRD
cZn4AUbe4B1Mp56ZEuoW6oav/lA1G06oTLuhgLDbMjyi4jUcSszPRW0YqsOTLvw=
=O00p
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list