Project

General

Profile

Actions

Feature #1757

closed

Feature #2318: matching on large amounts of data with dynamic updates

URL Reputation

Added by Sahil Bhola over 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hello Team,

I would like to see if Suricata can do URL reputation in addition to IP reputation.

Thanks

Sahil Bhola


Files

URL_Reputation_sample.csv (5.11 KB) URL_Reputation_sample.csv Sample Bad URL's for URL reputation Sahil Bhola, 04/04/2016 11:11 AM

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #748: URL ReputationClosed02/01/2013Actions
Actions #1

Updated by Victor Julien over 8 years ago

Can you be more specific about what you have in mind? Looking for info like how reputation would be defined, what to match on exactly (entire URL, just hostname, etc), how many URLs would have to be supported, etc.

Actions #2

Updated by Sahil Bhola over 8 years ago

We get data feeds that contains IP addresses and URL's. We are using the IP reputation feature to be alerted if any of the bad IP addresses are accessed. We want the same feature for the urls. We want a feature in Suricata, where we should be able to load the urls in the reputation file with the category and reputation id (same as IP reputation) and if those urls are accessed, Suricata should generate an alert. I am attaching sample bad URL's with the reputation rating for your reference.

If you could do entire URL that would be great. Host-names are also fine with us. We have total of about 8000 bad URLs that we want to load on Suricata. Please let me know if you have any questions for me.

Thanks

Sahil Bhola

Actions #3

Updated by Sahil Bhola over 8 years ago

Hello Team,

Hope my explanation was more specific. Please let me know if you have any questions.

Sahl

Actions #4

Updated by Victor Julien over 8 years ago

  • Priority changed from High to Normal
  • Target version set to TBD
Actions #5

Updated by Andreas Herz over 8 years ago

  • Assignee set to Anonymous
Actions #6

Updated by Andreas Herz over 7 years ago

Actions #7

Updated by Sahil Bhola over 7 years ago

@Andreas Herz - Is URL reputation feature supported by suricata now?

Actions #8

Updated by Andreas Herz over 7 years ago

Sahil Bhola wrote:

@Andreas Herz - Is URL reputation feature supported by suricata now?

not yet, it's just that the other ticket had the exact same request.

Actions #9

Updated by Victor Julien over 7 years ago

For now it's assigned to 'community' which means that the OISF team won't work on it. Community members can contribute the feature in code. Other options, like funded development, can be discussed privately.

Actions #10

Updated by Victor Julien about 7 years ago

  • Parent task set to #2318
Actions #11

Updated by Kenneth Kolano about 6 years ago

Though direct handling from dictionary files isn't supported, URLs can be detected in rules fairly easily, so Suricata does support this now; though perhaps there would be some performance benefits of not handling it via rules.

Actions #12

Updated by Andreas Herz almost 6 years ago

  • Assignee set to Community Ticket
Actions #13

Updated by Victor Julien over 5 years ago

  • Status changed from New to Closed
  • Assignee changed from Community Ticket to Victor Julien
  • Target version changed from TBD to 5.0rc1

HTTP URI

alert http any any -> any any (http.uri; datarep:uri_rep, >, 200, load uri_rep.rep, type string; sid:4;)

https://github.com/OISF/suricata/pull/4166

https://suricata.readthedocs.io/en/latest/rules/datasets.html

Actions

Also available in: Atom PDF