Currently I have a dns rule and it matches against a bunch of known bad URLs in a Base64 dataset.
This is working as a hit/miss case, I was wondering if it is possible to show the actual value that was hit in the dataset in the rule message?
So if I have a dataset with 40,000 domains, can I show in the rule message which domain from those 40,000 was the offending domain?
Here is my current rule:
alert dns any any -> any any (msg:"BAD URL IN DNS QUERY"; dns_query; dataset:isset,domains-bl64; classtype:bad-unknown; sid:90000001; priority:2; rev:1;)
Edit Should add I’m using the suricata 5.0.6 that ships with IPFire, thanks
I believe that dataset:isset,domains-bl64; is telling it to check if it is contained in my dataset domains-bl64 which I defined in suricata.yml, indeed it seems to be working, I realised I had to drop /n characters off the end of my data set items to get them to match so it seems to be working fine, just need to see the domain it’s matching. I’ve enabled that payload flag that you mention now so will see if it gives me more info cheers.