Hello!
I’m creating a rule with a dataset, to trigger dns query for specific domain. The domains names are on an other file. alert dns any any -> any any (msg: "ET DNS Query for ryuk domain"; reference:url,https://github.com/Xanderux/suricata_CTI/blob/main/README.md; dns.query; dataset:set, domains_ryuk, type string, load: domains_ryuk.lst; sid:202025113; rev:1;)
I wrote some domains names in my .lst file.
But this rule trigger any dns communication, for exemple : {"action":"allowed","gid":1,"signature_id":202025113,"rev":1,"signature":"ET DNS Query for ryuk domain","category":"","severity":3},"dns":{"query":[{"type":"query","id":27945,"rrname":"tp.f0c2e5164-frontier.amazon.fr","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":106,"bytes_toclient":0,"start":"2020-11-25T09:47:01.034089+0100"}}
Do you know why my suricata rule has this behavior?
I try with this syntax but i have this error : dataset not defined
With this syntax in my rule : dataset:isset, domains_ryuk [type string, load: domains_ryuk.lst, memcap 500];
Thanks i didn’t have encoded my .lst file. But i’m trying to dont modify suricata.yaml and to specify my dataset in my rule. Without modify suricata.yaml it doesnt work
In Suricata 6.0 and later, datasets are no longer experiemental.
With 5.0.3, you’ll have to either
Modify the Suricata configuration file
Or, supply additional configuration information on the command line.
With 2, add --set datasets.domains-ryuk.state=./domains_ryuk64.lst --set datasets.domains-ryuk.type=string to the command line you’re using to start Suricata. Note that domains_ryuk64.lst is the base 64 encoded representation of the plain-text file containing the domains. You can use base64 to generate this file.