[Snort-users] Need an efficient way to generate rules for URL Filtering

Rodgers, Anthony (DTMB) RodgersA1 at ...17120...
Sat Mar 21 13:01:20 EDT 2015


I’m not sure that Snort is the best tool for this – have you considered a DNS blackhole?

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: Rishabh Shah [mailto:rishabh420 at ...11827...]
Sent: Friday, March 20, 2015 08:05
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Need an efficient way to generate rules for URL Filtering

Hi Snort Team,

Hope you are doing well.

I have a database of 1000 URLs that I want to block using Snort. Do I need to create 1000 separate rules to block each of them? Wouldn't there be a performance hit if I have a separate rule for each one of them(consider my database increases to 10K URLs)? Any alternatives that could achieve my aim?

FYI, this is how my rule looks today:
reject tcp any any -> any any (msg:"Blacklisted URL"; content:"youtube.com<http://youtube.com>"; http_uri; react: msg;)

--
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150321/79b064f6/attachment.html>


More information about the Snort-users mailing list