Dataset match in rule message?


Currently I have a dns rule and it matches against a bunch of known bad URLs in a Base64 dataset.

This is working as a hit/miss case, I was wondering if it is possible to show the actual value that was hit in the dataset in the rule message?

So if I have a dataset with 40,000 domains, can I show in the rule message which domain from those 40,000 was the offending domain?

Here is my current rule:

alert dns any any -> any any (msg:"BAD URL IN DNS QUERY"; dns_query; dataset:isset,domains-bl64; classtype:bad-unknown; sid:90000001; priority:2; rev:1;)

Edit Should add I’m using the suricata 5.0.6 that ships with IPFire, thanks :smiley:

I think the current rule is missing something to match the pattern in content keyword (see 6.14. DNS Keywords — Suricata 6.0.0 documentation) so the current rule will match any dns queries.

You can get the matching domain by enable payload-printable in alert config:

        - alert:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            payload-printable: yes

Also you can extract more details by using LUA script rule

I believe that dataset:isset,domains-bl64; is telling it to check if it is contained in my dataset domains-bl64 which I defined in suricata.yml, indeed it seems to be working, I realised I had to drop /n characters off the end of my data set items to get them to match so it seems to be working fine, just need to see the domain it’s matching. I’ve enabled that payload flag that you mention now so will see if it gives me more info cheers.

Seems that’s only for eve-json log output right? I’m just using the fast.log the eve output was too noisy.

Enabling the payload-printable with eve output off kills my suricata and it doesn’t start until I comment it out again.