Feature #1757
closedFeature #2318: matching on large amounts of data with dynamic updates
URL Reputation
Added by Sahil Bhola over 8 years ago. Updated about 5 years ago.
Description
Hello Team,
I would like to see if Suricata can do URL reputation in addition to IP reputation.
Thanks
Sahil Bhola
Files
| URL_Reputation_sample.csv (5.11 KB) URL_Reputation_sample.csv | Sample Bad URL's for URL reputation | Sahil Bhola, 04/04/2016 11:11 AM |
Updated by Victor Julien over 8 years ago
Can you be more specific about what you have in mind? Looking for info like how reputation would be defined, what to match on exactly (entire URL, just hostname, etc), how many URLs would have to be supported, etc.
Updated by Sahil Bhola over 8 years ago
We get data feeds that contains IP addresses and URL's. We are using the IP reputation feature to be alerted if any of the bad IP addresses are accessed. We want the same feature for the urls. We want a feature in Suricata, where we should be able to load the urls in the reputation file with the category and reputation id (same as IP reputation) and if those urls are accessed, Suricata should generate an alert. I am attaching sample bad URL's with the reputation rating for your reference.
If you could do entire URL that would be great. Host-names are also fine with us. We have total of about 8000 bad URLs that we want to load on Suricata. Please let me know if you have any questions for me.
Thanks
Sahil Bhola
Updated by Sahil Bhola over 8 years ago
Hello Team,
Hope my explanation was more specific. Please let me know if you have any questions.
Sahl
Updated by Victor Julien over 8 years ago
- Priority changed from High to Normal
- Target version set to TBD
Updated by Andreas Herz over 7 years ago
- Related to Feature #748: URL Reputation added
Updated by Sahil Bhola over 7 years ago
@Andreas Herz - Is URL reputation feature supported by suricata now?
Updated by Andreas Herz over 7 years ago
Sahil Bhola wrote:
@Andreas Herz - Is URL reputation feature supported by suricata now?
not yet, it's just that the other ticket had the exact same request.
Updated by Victor Julien over 7 years ago
For now it's assigned to 'community' which means that the OISF team won't work on it. Community members can contribute the feature in code. Other options, like funded development, can be discussed privately.
Updated by Kenneth Kolano almost 6 years ago
Though direct handling from dictionary files isn't supported, URLs can be detected in rules fairly easily, so Suricata does support this now; though perhaps there would be some performance benefits of not handling it via rules.
Updated by Victor Julien about 5 years ago
- Status changed from New to Closed
- Assignee changed from Community Ticket to Victor Julien
- Target version changed from TBD to 5.0rc1
HTTP URI
alert http any any -> any any (http.uri; datarep:uri_rep, >, 200, load uri_rep.rep, type string; sid:4;)
https://github.com/OISF/suricata/pull/4166
https://suricata.readthedocs.io/en/latest/rules/datasets.html