Feature #1757
closed
Feature #2318: matching on large amounts of data with dynamic updates
URL Reputation
Added by Sahil Bhola about 9 years ago.
Updated almost 6 years ago.
Description
Hello Team,
I would like to see if Suricata can do URL reputation in addition to IP reputation.
Thanks
Sahil Bhola
Files
Can you be more specific about what you have in mind? Looking for info like how reputation would be defined, what to match on exactly (entire URL, just hostname, etc), how many URLs would have to be supported, etc.
We get data feeds that contains IP addresses and URL's. We are using the IP reputation feature to be alerted if any of the bad IP addresses are accessed. We want the same feature for the urls. We want a feature in Suricata, where we should be able to load the urls in the reputation file with the category and reputation id (same as IP reputation) and if those urls are accessed, Suricata should generate an alert. I am attaching sample bad URL's with the reputation rating for your reference.
If you could do entire URL that would be great. Host-names are also fine with us. We have total of about 8000 bad URLs that we want to load on Suricata. Please let me know if you have any questions for me.
Thanks
Sahil Bhola
Hello Team,
Hope my explanation was more specific. Please let me know if you have any questions.
Sahl
- Priority changed from High to Normal
- Target version set to TBD
- Assignee set to Anonymous
@Andreas Herz - Is URL reputation feature supported by suricata now?
Sahil Bhola wrote:
@Andreas Herz - Is URL reputation feature supported by suricata now?
not yet, it's just that the other ticket had the exact same request.
For now it's assigned to 'community' which means that the OISF team won't work on it. Community members can contribute the feature in code. Other options, like funded development, can be discussed privately.
Though direct handling from dictionary files isn't supported, URLs can be detected in rules fairly easily, so Suricata does support this now; though perhaps there would be some performance benefits of not handling it via rules.
- Assignee set to Community Ticket
- Status changed from New to Closed
- Assignee changed from Community Ticket to Victor Julien
- Target version changed from TBD to 5.0rc1
Also available in: Atom
PDF