you can do this by applying a pcrexform transformation on the sticky buffer you want to alert on (eg: dns.query, tls.sni…etc) and then matching against the IOCs datasets
The pcrexform transformation is a regex match with a regex capture expression in it, the first capture group match will be the output that will be compared against the values in your IOCs DataSet.
so the easies thing is to do is to extract the last portion of the domain domain using regex, example:
random.subdomain.google.com.uk —> pcrexform:".+.([-a-zA-Z9-9]+.[-a-zA-Z9-9]+.[-a-zA-Z9-9]+)"; —> google.com.uk
so the final rule should be something similar to:
alert dns any any -> any any (msg:”dns IOCs match”; dns.query; pcrexform:".+\.([-a-zA-Z9-9]+\.[-a-zA-Z9-9]+\.[-a-zA-Z9-9]+)"; dataset:isset,dns-iocs; sid:123; rev:1;)
the above regex was a quick one, you can find more robust implementations on the internet, but it should work.