Apply rules only on connections? + blocking lists #120
gustavo-iniguez-goya
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
There's a script on the original repo to create rules to block domains: https://github.com/evilsocket/opensnitch/blob/master/make_ads_rules.py
That would create as many rules as domains exist on each list, which is a bit crazy. However, based on this idea, I've created a special rule which downloads the lists from the given URL, and loads the domains in memory.
Checking the destination host of a connection against the list costs around 1us, before trying to discover the PID. Doing it after discover the PID would still be useful, since it wouldn't add extra time.
On the other hand, the idea of applying rules without discovering the PID appeals to me. I'm thinking in particular when working on a gateway where the connections are not originated from the machine itself.
Besides, we could also apply Yara rules to the connections, or analyze them by a 3rd party service (VirusTotal for instance).
Beta Was this translation helpful? Give feedback.
All reactions