Project

General

Profile

Actions
Copy link

Feature #6831

open

Snort does not support aliases containing FQDN

Added by Louis-Philippe Allard over 7 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
09/29/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Snort does not support aliases containing FQDN. The pass list in snort's settings has a list which points to a system-wide alias which contains 100+ FQDN entries and snort seems not to be able to use it saying:

FQDN aliases are not supported in Snort.

By being so, users are forced to maintain IP addresses or IP ranges in their already light-years long aliases, or worst, disable the triggering rules in snort, therefore mining the effectiveness of the snort application.

Actions
Copy link
 #1

Updated by Kill Bill over 7 years ago

Reading this would help to understand why it's not supported.
https://forum.pfsense.org/index.php?topic=87211.msg514703#msg514703

Actions
Copy link
 #2

Updated by Renato Botelho over 7 years ago

  • Priority changed from High to Normal
  • Target version deleted (2.4.0)

Keeping it opened for reference but I'm not sure if Bill Meeks will implement it based on his comments on the forum thread linked above

Actions
Copy link
 #3

Updated by Viktor Gurov almost 4 years ago

It can be a one-time name resolution, like HAproxy ACL (network/url/urltable aliases),
see #9793 for example

Actions
Copy link

Also available in: Atom PDF