[Snort-users] Need an efficient way to generate rules for URL Filtering

Jack Pepper pepperjack at ...14319...
Sat Mar 21 22:24:51 EDT 2015


are these fqdns, full urls or domain names?

On Fri, Mar 20, 2015 at 7:05 AM, Rishabh Shah <rishabh420 at ...11827...> wrote:

> Hi Snort Team,
>
> Hope you are doing well.
>
> I have a database of 1000 URLs that I want to block using Snort. Do I need
> to create 1000 separate rules to block each of them? Wouldn't there be a
> performance hit if I have a separate rule for each one of them(consider my
> database increases to 10K URLs)? Any alternatives that could achieve my aim?
>
> FYI, this is how my rule looks today:
> reject tcp any any -> any any (msg:"Blacklisted URL"; content:"youtube.com
> "; http_uri; react: msg;)
>
> --
> Regards,
> Rishabh Shah.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150321/ba1c1d5f/attachment.html>


More information about the Snort-users mailing list