[Snort-users] Need an efficient way to generate rules for URL Filtering

James Lay jlay at ...13475...
Sat Mar 21 14:48:41 EDT 2015


On Sat, 2015-03-21 at 17:01 +0000, Rodgers, Anthony (DTMB) wrote:
> I’m not sure that Snort is the best tool for this – have you
> considered a DNS blackhole?
> 
>  
> 
> --
> 
> Anthony Rodgers
> 
> Security Analyst
> 
> Michigan Security Operations Center (MiSOC)
> 
> DTMB, Michigan Cyber Security
> 
>  
> 
> From: Rishabh Shah [mailto:rishabh420 at ...11827...] 
> Sent: Friday, March 20, 2015 08:05
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Need an efficient way to generate rules for URL
> Filtering
> 
>  
> 
> 
> Hi Snort Team,
> 
> 
>  
> 
> 
> Hope you are doing well. 
> 
> 
>  
> 
> 
> I have a database of 1000 URLs that I want to block using Snort. Do I
> need to create 1000 separate rules to block each of them? Wouldn't
> there be a performance hit if I have a separate rule for each one of
> them(consider my database increases to 10K URLs)? Any alternatives
> that could achieve my aim?
> 
> 
> 
>  
> 
> 
> FYI, this is how my rule looks today: 
> 
> 
> reject tcp any any -> any any (msg:"Blacklisted URL";
> content:"youtube.com"; http_uri; react: msg;)
> 
> 
>  
> 
> 
> 
> -- 
> 
> 
> Regards,
> 
> 
> Rishabh Shah.
> 
> 
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Ya that or run a proxy.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150321/421b9dea/attachment.html>


More information about the Snort-users mailing list