Configuring Suricata Datasets for enabling IDS

I think my suricata rule is incorrect because getting logs without executing anything.
My Suricata Signature Rule is:

  • drop ip any any → any any (msg:“APP-DETECT”; dns_query; dataset:set,dns-bl; sid:229873; rev:1;)

how do you run suricata in your test ? I see contradictory information in your screenshots.

I run command mentioned below to run suricata for testing:
sudo suricata -c /etc/suricata/suricata.yaml -i (interface-name)


This is the output after running the command. i.e suricata -c /etc/suricata/suricata.yaml -i wlp1s0

This is my custom rule for suricata.

This is my suricata.yaml file where i configured datasets.

This is my dns-bl.lst dataset in which i put different domain names which i have to block.

Respected sir,
Hope you are fine.
This project is really important for me. Can we schedule an online meeting in which i’ll tell you about my queries and what problems i am facing right now.
I shall be very thankful to you.
Thanks & Regards
Prateek Sharma
email - prateeksharmaknl278@gmail.com
linkedin - https://www.linkedin.com/in/knl-prateek/

-i is triggering a run in IDS mode so you are not going to block anything. Please run in IPS mode with -q option as I’ve seen you’ve done before in this thread.

Please tell me the command i have to run suricata in test.

usually something like -q 0 instead of -i interface but you also need to have iptables/nftables rules set up.

so why do you want to block DNS and do not block the TLS session using a tls.sni rule ?

Because when i write a rule to block zoom, mega separately then these application blocked by dns in signature rule.

Means i just create a rule to dns traffic with content zoom in it and that’s sit. It worked.

the dns list is not base64 encoded, this may explain your issue

Sir i created a dataset named dns-bl.lst
put zoom in first line of the datset and then mega in the other line by doing base64 encryption using cyberchef for both the strings separately and then put the result in different lines. But still not working.

I have to encode the whole file named dns-bl.lst?

Because tls.sni is not block my application completly. Logs generates but some traffic of that particular application still pass. so it’s not completly blocked using tls.sni.
But by using dns the application is completly blocked.

yes, all string dataset must be base64 encoded.