Configuring Suricata Datasets for enabling IDS

Eric_Leblond · May 17, 2023, 12:14pm

Please answer to my requests and provide something that can be used to reproduce your issue.

Prateek-Sharma · May 17, 2023, 12:16pm

What i have to send? Please tell me

Eric_Leblond · May 17, 2023, 12:18pm

Signature, dataset file and a pcap file containing the traffic you try to block.

Prateek-Sharma · May 17, 2023, 12:18pm

Okay, Give me 2 minutes

Prateek-Sharma · May 17, 2023, 12:25pm

zoom.pcapng (195.1 KB)
drop ip any any → any any (msg:“APP-Detect”; dns_query; dataset:isset,dns-bl; sid:203720; rev:1;)
created a dataset named dns-bl.lst

Eric_Leblond · May 17, 2023, 12:31pm

The pcap file contains no hit to zoom.us hostname:

cat /tmp/eve.json |grep zoom|grep dns| jq .dns.rrname
"us04web.zoom.us"
"us04web.zoom.us"
"us04web.zoom.us"
"us04web.zoom.us"
"us04web.zoom.us"
"us04web.zoom.us"
"us04web.zoom.us"
"us04web.zoom.us"

dataset is a full string match so your signature can not work.

Also your encoding of the zoom.us string seems off (I bet you did not follow my indication on generating it)

Prateek-Sharma · May 17, 2023, 12:32pm

open that pcap file in wireshark and apply a search filter “frame contains zoom”

Eric_Leblond · May 17, 2023, 12:34pm

comment edited and please reread.

By the way, don’t use wireshark. Run the pcap in suricata and check dns transaction log to see what has been done. We don’t want wireshark truth but Suricata one when writing a signture.

Prateek-Sharma · May 17, 2023, 12:34pm

Okay Sir.
Please guide me step by step.
I will follow all your instruction but kindly please guide me the instructions clearly.

Eric_Leblond · May 17, 2023, 12:35pm

Instruction are clear. Please just read everything I’ve written. I’m stopping there the interaction.

Prateek-Sharma · May 17, 2023, 12:38pm

If possible can you please guide me step by step.
Such as i created a dataset file named dns-bl.lst in which i put base64 encrypted text of zoom.
then i created a custom signature rule drop ip any any → any any (msg:“APP-Detect”; dns_query; dataset:isset,dns-bl; sid:203720; rev:1;)
and enable dataset keyword in suricata.yaml file
datasets:
dns-bl:
type: string
state: dns-bl.lst

Is any step wrong in the above???

vjulien · May 17, 2023, 4:17pm

@Prateek-Sharma please take some time to read the docs, read the thread above and try things. Posting every couple of minutes is not productive and borders on being rude.

prateek.s · June 29, 2023, 9:15am

Got the right way to use datasets.

Andreas_Herz · July 31, 2023, 8:16pm

No that is not correct. Datasets are also supported in Suricata 6 for example, see 7.34. Datasets — Suricata 6.0.13 documentation