Project

General

Profile

Actions

Feature #6831

open

Snort does not support aliases containing FQDN

Added by Louis-Philippe Allard about 8 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
09/29/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Snort does not support aliases containing FQDN. The pass list in snort's settings has a list which points to a system-wide alias which contains 100+ FQDN entries and snort seems not to be able to use it saying:

FQDN aliases are not supported in Snort.

By being so, users are forced to maintain IP addresses or IP ranges in their already light-years long aliases, or worst, disable the triggering rules in snort, therefore mining the effectiveness of the snort application.

Actions #1

Updated by Kill Bill about 8 years ago

Reading this would help to understand why it's not supported.
https://forum.pfsense.org/index.php?topic=87211.msg514703#msg514703

Actions #2

Updated by Renato Botelho almost 8 years ago

  • Priority changed from High to Normal
  • Target version deleted (2.4.0)

Keeping it opened for reference but I'm not sure if Bill Meeks will implement it based on his comments on the forum thread linked above

Actions #3

Updated by Viktor Gurov over 4 years ago

It can be a one-time name resolution, like HAproxy ACL (network/url/urltable aliases),
see #9793 for example

Actions

Also available in: Atom PDF