Configuring Suricata Datasets for enabling IDS

Prateek-Sharma · May 11, 2023, 11:02am

I am successfully established suricata as IDPS in my PC. Now I trying to create signature rule to generate an alert for zoom, spotify and mega applications with the help of Datasets Keyword in suricata documentation. But the logs are not generated by suricata. I think i am configuring dataset in wrong way.
Kindly please help me.

Thanks & Regards
Prateek Sharma
prateeksharmaknl278@gmail.com

Prateek-Sharma · May 11, 2023, 11:26am

@Eric_Leblond
Please help sir.
Big Fan.

Eric_Leblond · May 11, 2023, 12:10pm

Multiple points here:

the dataset file is string so it needs base64 encoding
dataset is full string match so you need to put the full hostname and not a substring

Prateek-Sharma · May 11, 2023, 12:28pm

So if i put full domain name in the dns-bl.lst such as zoom.us and all. Then it will work?

Eric_Leblond · May 11, 2023, 12:29pm

you need to look at the dns events generated when you sniff the traffic with suricata and then reuse the value.

Prateek-Sharma · May 11, 2023, 12:32pm

Sir, i looked at the dns traffic that i captured in the wireshark. The domain name for zoom is zoom.us. when i created a normal rule to detect zoom traffic then it worked. I just put zoom keyword in the content of my signature rule.

Eric_Leblond · May 11, 2023, 12:34pm

so yes put zoom.us in the dataset

Prateek-Sharma · May 11, 2023, 12:42pm

Steps:

I created dns-bl.lst file in /etc/suricata/rules
In dns-bl.lst i put zoom.us, mega.io, open.spotify.com
Add datasets:
dns-bl:
type: string
state: dns-bl.lst
Go to /etc/suricata/rules/custom.rules and add a custom i.e alert ip any any → any any (msg:”APP_DETECT”; dns.query; dataset:isset,dns-bl; sid:123; rev:1;)
go to suricata.yaml file and add custom.rules at rule-files
run commands iptables -t mangle -I INPUT -j NFQUEUE --queue-num 1
Run Command iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
service suricata restart
tail -100f /var/log/suricata/fast.log
Not getting the alerts.

Prateek-Sharma · May 11, 2023, 12:54pm

Prateek-Sharma · May 11, 2023, 12:56pm

Prateek-Sharma · May 11, 2023, 1:00pm

Sir, all the configuration files are correct as i created many rules and also tested them. Suricata working properly with that rules. I am just enthusiast to create signature rules by using datasets.
Help me!!

Eric_Leblond · May 11, 2023, 1:23pm

run suricata in command line to see the errors. The dataset file for example is not base64 encoded so you should have a message in the log.

Prateek-Sharma · May 11, 2023, 1:27pm

Prateek-Sharma · May 11, 2023, 1:39pm

bmurphy · May 11, 2023, 6:48pm

The quotes which i’ve highlighted in blue, are not normal quotes. Replace them with " instead of the “directional” quotes.

This is common when copy/pasting from rich text editors. I’ve suffered from this problem WAY too much.

vjulien · May 11, 2023, 8:17pm

wonder if we can “just” support the directional quotes

ish · May 11, 2023, 10:37pm

Shouldn’t be hard… Should proper symmetry be enforced as in “ must be terminated with a ”. Or allow nesting?

alert ... (msg:"Directional “directional” quotes found"; ...)

Expectations may differ here.

Prateek-Sharma · May 12, 2023, 5:45am

I have corrected all the errors that are appearing in the previous photo. Now the current status is this.

suricata service is running
configuration file suricata is correct as i added datasets keywords in the configuration file.
I created a dns-bl.lst file at /etc/suricata/rules having zoom.us, mega.io and open.spotify.com as the contents in that particular file.
Then i created a custom signature rule as shown in the image.
But still not getting any log.

image (3)1775×141 64.2 KB

Screenshot from 2023-05-12 10-57-291830×952 118 KB

Screenshot from 2023-05-11 18-22-391814×953 117 KB

Screenshot from 2023-05-12 11-11-211828×297 84.7 KB

Screenshot from 2023-05-12 10-58-471834×949 223 KB

Prateek-Sharma · May 12, 2023, 11:02am

@ish @Eric_Leblond
Respected Members,
Finally, i am getting logs. But still not working.
I have some queries mentioned below such as the websites with the same domain names are still opening and the applications of the same are working. Kindly Check my steps and resolve my query that why the websites are working. I am still confused that the applications are blocked with my signature rule or some network issue, because without opening the specific application i mentioned in the dataset(dns-bl.lst) the logs generate.
Steps:

suricata.yaml -> datasets:
                   dns-bl:
                       type: string
                       state: dns-bl.lst

create a dataset name dns-bl.lst
zoom.us
open.spotify.com
mega.io
Create a Suricata custom rule: drop ip any any → any any (msg:“Datasets Configured”; dns_query; dataset:set,dns-bl,type string; sid:2736971; rev:1;)

List of Queries:

Getting logs without opening the specific applications mentioned in the dataset.
The urls are still working after the execution of signature rule https://zoom.us/ https://open.spotify.com/ https://mega.io/
As mentioned in the documentation it’s be like this dataset:isset,dns-bl but via doing this not a single log generate but via doing dataset:set,dns-bl generate logs.

Prateek-Sharma · May 12, 2023, 1:26pm

@Eric_Leblond @Regit @ish
I am waiting for you reply to resolve my query since from yesterday.
Please help me.

Topic		Replies	Views
Help with datasets and DNS Rules	7	1515	March 11, 2024
V6.0.9: Custom Rule Failing to Load for Base64 Dataset - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - datasets are only supported for sticky buffers Rules rules	3	550	February 27, 2023
Dns.query and dataset Rules	11	4686	November 29, 2020
Dataset rules not triggering Rules	3	706	February 8, 2021
Datasets not working Help	1	21	August 7, 2024

Configuring Suricata Datasets for enabling IDS

Related topics