https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022016-02-16T16:17:09ZOpen Information Security FoundationSuricata - Feature #1249: http/dns ip-reputation alike techniquehttps://redmine.openinfosecfoundation.org/issues/1249?journal_id=63262016-02-16T16:17:09ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Assignee</strong> set to <i>Anonymous</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Feature #1249: http/dns ip-reputation alike techniquehttps://redmine.openinfosecfoundation.org/issues/1249?journal_id=90792017-12-01T05:19:42ZVictor Julienvictor@inliniac.net
<ul><li><strong>Parent task</strong> set to <i>#2318</i></li></ul> Suricata - Feature #1249: http/dns ip-reputation alike techniquehttps://redmine.openinfosecfoundation.org/issues/1249?journal_id=104082018-11-12T14:13:56ZDavid Wharton
<ul></ul><p>I agree that having DNS Reputation would be valuable. It could be called "dnsrep" since it would be like iprep but for domain names.</p>
<p>Certainly it would inspect DNS requests. It could also be extended to look at the SNI field of TLS client requests and the HTTP Host header although I’m not convinced these are necessary. The nice thing is that these fields are already parsed out and normalized, and rules could be written (or programmatically generated) currently to identify traffic based off of domain names. However, this becomes onerous once you start dealing with a dynamic DNS blacklist of non-trivial size.</p>
<p>The DNS blacklist file should be just that -- a text file that Suricata reads and can reload quickly without significant internal effort. Reload should be able to be triggered via signal/socket/API call.</p>
<p>Since DNS blacklist matching involves multi-pattern match, Hyperscan could/should be utilized if available (although this would increase load/reload time since the Hyperscan database would have to be built/rebuilt but this is likely worth it given the frequency or reload; see below comment). Using Hyperscan as the MPM would also enable the powerful ability to use PCRE to match domain names, while maintaining performance.</p>
<p>I expect the frequency of dnsrep reloads in practice to be somewhere between a few times an hour to a few times a day, with the latter end of the spectrum being more likely.</p> Suricata - Feature #1249: http/dns ip-reputation alike techniquehttps://redmine.openinfosecfoundation.org/issues/1249?journal_id=105362018-11-24T07:49:45ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>Anonymous</i> to <i>Victor Julien</i></li></ul> Suricata - Feature #1249: http/dns ip-reputation alike techniquehttps://redmine.openinfosecfoundation.org/issues/1249?journal_id=134842019-09-05T07:49:59ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>5.0rc1</i></li></ul><p>DNS<br /><pre>
alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:3;)
</pre></p>
<p>HTTP HOST<br /><pre>
alert http any any -> any any (http.host; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:4;)
</pre></p>
<p><a class="external" href="https://github.com/OISF/suricata/pull/4166">https://github.com/OISF/suricata/pull/4166</a></p>
<p><a class="external" href="https://suricata.readthedocs.io/en/latest/rules/datasets.html">https://suricata.readthedocs.io/en/latest/rules/datasets.html</a></p>