Project

General

Profile

Actions

Feature #1249

closed

Feature #2318: matching on large amounts of data with dynamic updates

http/dns ip-reputation alike technique

Added by Christophe Vandeplas over 10 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

(as a reference) https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-July/003975.html

- applying different concepts within the IDS: like the IP
reputation/md5list that let's you load a file containing IOCs. However
importing hostnames and domainnames from a file, and match them on http/dns app layer

Yeah, I would like to support this. In your case I think you have almost
a 100% exact matches. For this hash lookups would be fine. The advanced
rule logic isn't necessary. Then a single rule can be used, and using
the json output we could add what we matched on. Not supported
currently, but I think this is the way forward.

That feature would be great. One small correction about the match. For
hostnames it's 100% match.
What we call domains is foo.com and *.foo.com.

What I'm doing now is: (for dns, but the same applies to http)

- dns_query; content:"malicioushostname.com"; nocase; pcre:
"/(|[^A-Za-z0-9-\.]) malicioushostname\.com$/i";
- dns_query; content:"mailliciousdomain.com"; nocase; pcre:
"/(
|[^A-Za-z0-9-]) maliciousdomain\.com$/i";
(the second regex could also be (^|\s|\.)foo.com$ , but I'm not sure
which one is the best)

Actions

Also available in: Atom PDF