[Snort-users] Blocking Domain name like example.com

waldo kitty wkitty42 at ...14940...
Mon Dec 23 14:18:37 EST 2013


On 12/23/2013 8:50 AM, Ayodele Okeowo wrote:
> Yes, existing DNS rules which alert based on domain names. I don't seem to
> find that in my list of rules.

you are probably using only the VRT rules, then... i believe you will find
something similar to what you are looking for in the emergingthreats rules sets...

start here http://rules.emergingthreats.net/open/snort-2.9.0/rules/ and look in
the dns rules set... then search for "query for suspicious" for examples you
should be able to clone and modify for your specific needs... one domain per
rule gives the best granularity ;)

> Also How do I use it if I find it?

just like any other of the text based rules...

> Can it be used just like when I'm using the whitelist/blacklist rules?

not that i'm aware of...

>
> Sorry I couldn't reply early.

not a problem ;)

> Ayo
>
>
> On Sat, Dec 21, 2013 at 6:31 PM, waldo kitty <wkitty42 at ...14940...>
> wrote:
>
> On 12/21/2013 10:56 AM, Ayodele Okeowo wrote:
>> Hello guys,
>>
>> Is there a way to build a list of website names to be blocked by Snort? Or
>>  I should just included the domain names within my alert or drop rules?
>
> do you mean something like existing DNS rules that alert based on domain
> names used for know malware distribution? ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list