https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022016-04-04T10:39:12ZOpen Information Security FoundationSuricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=66562016-04-04T10:39:12ZVictor Julienvictor@inliniac.net
<ul></ul><p>Can you be more specific about what you have in mind? Looking for info like how reputation would be defined, what to match on exactly (entire URL, just hostname, etc), how many URLs would have to be supported, etc.</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=66582016-04-04T11:14:23ZSahil Bhola
<ul><li><strong>File</strong> <a href="/attachments/1203">URL_Reputation_sample.csv</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1203/URL_Reputation_sample.csv">URL_Reputation_sample.csv</a> added</li></ul><p>We get data feeds that contains IP addresses and URL's. We are using the IP reputation feature to be alerted if any of the bad IP addresses are accessed. We want the same feature for the urls. We want a feature in Suricata, where we should be able to load the urls in the reputation file with the category and reputation id (same as IP reputation) and if those urls are accessed, Suricata should generate an alert. I am attaching sample bad URL's with the reputation rating for your reference.</p>
<p>If you could do entire URL that would be great. Host-names are also fine with us. We have total of about 8000 bad URLs that we want to load on Suricata. Please let me know if you have any questions for me.</p>
<p>Thanks</p>
<p>Sahil Bhola</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=66752016-04-06T07:37:11ZSahil Bhola
<ul></ul><p>Hello Team,</p>
<p>Hope my explanation was more specific. Please let me know if you have any questions.</p>
<p>Sahl</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=69422016-06-15T05:05:34ZVictor Julienvictor@inliniac.net
<ul><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=73422016-09-08T14:49:58ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Anonymous</i></li></ul> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=81522017-05-03T15:36:38ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/748">Feature #748</a>: URL Reputation</i> added</li></ul> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=81992017-05-03T18:58:21ZSahil Bhola
<ul></ul><p>@Andreas Herz - Is URL reputation feature supported by suricata now?</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=82082017-05-04T15:26:41ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>Sahil Bhola wrote:</p>
<blockquote>
<p>@Andreas Herz - Is URL reputation feature supported by suricata now?</p>
</blockquote>
<p>not yet, it's just that the other ticket had the exact same request.</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=82212017-05-08T04:07:50ZVictor Julienvictor@inliniac.net
<ul></ul><p>For now it's assigned to 'community' which means that the OISF team won't work on it. Community members can contribute the feature in code. Other options, like funded development, can be discussed privately.</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=90812017-12-01T05:20:21ZVictor Julienvictor@inliniac.net
<ul><li><strong>Parent task</strong> set to <i>#2318</i></li></ul> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=105492018-11-27T10:33:36ZKenneth Kolano
<ul></ul><p>Though direct handling from dictionary files isn't supported, URLs can be detected in rules fairly easily, so Suricata does support this now; though perhaps there would be some performance benefits of not handling it via rules.</p> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=112342019-02-23T22:18:32ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>Community Ticket</i></li></ul> Suricata - Feature #1757: URL Reputationhttps://redmine.openinfosecfoundation.org/issues/1757?journal_id=134852019-09-05T07:50:58ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> changed from <i>Community Ticket</i> to <i>Victor Julien</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>5.0rc1</i></li></ul><p>HTTP URI</p>
<pre>
alert http any any -> any any (http.uri; datarep:uri_rep, >, 200, load uri_rep.rep, type string; sid:4;)
</pre>
<p><a class="external" href="https://github.com/OISF/suricata/pull/4166">https://github.com/OISF/suricata/pull/4166</a></p>
<p><a class="external" href="https://suricata.readthedocs.io/en/latest/rules/datasets.html">https://suricata.readthedocs.io/en/latest/rules/datasets.html</a></p>