Feature #1389
opensuppress by host
Description
From the rule description at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules and suppress example at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic it's unclear if it's possible to supress alert for particular hostname.
The problem is that rule description doese not mention "supress" at all, while the documentation on ignoring traffic is very brief and it's unclear how one could suppress alerts for the traffic going to (or from) my.host.com
Updated by god lol over 9 years ago
Note: suppressing based on ip is less desirable due to dyndns host.
Updated by Victor Julien over 9 years ago
I can see how this could work for http where we could use the actual hostname to match the hostname in the request, but how would this otherwise work? Would you expect suri to do the dns lookup to get the IP of the hostname?
Updated by god lol over 9 years ago
My personal use-case is SIP where it can also be extracted directly in theory (no corresponding Suricata helper yet). Although I can see how it can be handy regardless of the protocol so having infrastructure to do dns requests and cache the results for correct time would be definitely usefull.
Updated by Victor Julien over 8 years ago
- Tracker changed from Support to Feature
Updated by Andreas Herz about 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD