Project

General

Profile

Actions

Feature #1389

open

suppress by host

Added by god lol over 6 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

From the rule description at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules and suppress example at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic it's unclear if it's possible to supress alert for particular hostname.

The problem is that rule description doese not mention "supress" at all, while the documentation on ignoring traffic is very brief and it's unclear how one could suppress alerts for the traffic going to (or from) my.host.com

Actions #1

Updated by god lol over 6 years ago

Note: suppressing based on ip is less desirable due to dyndns host.

Actions #2

Updated by Victor Julien over 6 years ago

I can see how this could work for http where we could use the actual hostname to match the hostname in the request, but how would this otherwise work? Would you expect suri to do the dns lookup to get the IP of the hostname?

Actions #3

Updated by god lol over 6 years ago

My personal use-case is SIP where it can also be extracted directly in theory (no corresponding Suricata helper yet). Although I can see how it can be handy regardless of the protocol so having infrastructure to do dns requests and cache the results for correct time would be definitely usefull.

Actions #4

Updated by Victor Julien over 5 years ago

  • Tracker changed from Support to Feature
Actions #5

Updated by Andreas Herz about 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions

Also available in: Atom PDF