Project

General

Profile

Feature #6831

Snort does not support aliases containing FQDN

Added by Louis-Philippe Allard almost 4 years ago. Updated 23 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
09/29/2016
Due date:
% Done:

0%

Estimated time:

Description

Snort does not support aliases containing FQDN. The pass list in snort's settings has a list which points to a system-wide alias which contains 100+ FQDN entries and snort seems not to be able to use it saying:

FQDN aliases are not supported in Snort.

By being so, users are forced to maintain IP addresses or IP ranges in their already light-years long aliases, or worst, disable the triggering rules in snort, therefore mining the effectiveness of the snort application.

History

#1 Updated by Kill Bill over 3 years ago

Reading this would help to understand why it's not supported.
https://forum.pfsense.org/index.php?topic=87211.msg514703#msg514703

#2 Updated by Renato Botelho over 3 years ago

  • Priority changed from High to Normal
  • Target version deleted (2.4.0)

Keeping it opened for reference but I'm not sure if Bill Meeks will implement it based on his comments on the forum thread linked above

#3 Updated by Viktor Gurov 23 days ago

It can be a one-time name resolution, like HAproxy ACL (network/url/urltable aliases),
see #9793 for example

Also available in: Atom PDF