Feature #1249
closedFeature #2318: matching on large amounts of data with dynamic updates
http/dns ip-reputation alike technique
Description
(as a reference) https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-July/003975.html
- applying different concepts within the IDS: like the IP
reputation/md5list that let's you load a file containing IOCs. However
importing hostnames and domainnames from a file, and match them on http/dns app layerYeah, I would like to support this. In your case I think you have almost
a 100% exact matches. For this hash lookups would be fine. The advanced
rule logic isn't necessary. Then a single rule can be used, and using
the json output we could add what we matched on. Not supported
currently, but I think this is the way forward.
That feature would be great. One small correction about the match. For
hostnames it's 100% match.
What we call domains is foo.com and *.foo.com.
What I'm doing now is: (for dns, but the same applies to http)
- dns_query; content:"malicioushostname.com"; nocase; pcre:
"/(|[^A-Za-z0-9-\.]) malicioushostname\.com$/i";
- dns_query; content:"mailliciousdomain.com"; nocase; pcre:
"/(|[^A-Za-z0-9-]) maliciousdomain\.com$/i";
(the second regex could also be (^|\s|\.)foo.com$ , but I'm not sure
which one is the best)