I was excited to hear of dataset support for ip address types during Eric’s (@Regit) talk at Suricon last year as it could be a powerful and welcome replacement for IP Reputation (iprep), but I am not seeing any support for CIDR/IP ranges which is crucial. Are there any plans to add support for ip/cidr ranges to datasets?
datasets are exact lookups, so that seems hard to do. @Eric_Leblond any ideas?
We could introduce a transformation like mask to match on ip/cidr range but this would match against a set containing network. Problem would be if we have multiple cidr. But we could have multiple signature with different mask.
You could as well do pre-processing to the CIDR ranges and expand them to individual IP Addresses before adding them to Suricata datasets.
As long as there aren’t plans to phase out iprep in favor of datasets there is no major issue to my knowledge other than the additional configuration modifications required for iprep. Preprocessing CIDR expansion to individual addresses is an option but I’m not sure of the performance difference vs iprep. We are running huge lists with the majority of our custom ASN and Geo data being powered by iprep. Regardless, this is a limitation worth highlighting in documentation that might exist on when to use ip datasets vs iprep.
One difference with iprep vs dataset is that iprep can only used with ip protocol vs (tcp, udp, tls…etc)
This limits how descriptive the rule can be which causes FP in many cases.