Domain name reputation

From reading the online document, i figure that Suricata is able to support IP based reputation list. My question is if Suricata can do the same to a domain name list ? And how please.
Thank you!

Yes, Suricata can do this via the Datarep feature for different sticky buffer (aka fields) including domains observed in tls sni, dns query…etc

This blog post explains how to alert on malicious dns queries (IOCs) using Suricata, it explains how the feature works.

hope this helps.

It works, thank you!

I simply appended a base64 domain-name into a list with 'echo -n www.google.com | base64 >> test.lst".

But is it possible to add a reputation-score next to the the domain-name and let the rule to compare & generate alerts of different categories? Thank you in advance!

Yes!, this is done via Datarep feature, the blogpost above explain the dataset feature and not the datarep.

the difference is in the datarep there is reputation attached to domains/hashes/etc, they work almost the same way.

It works fine, thank you!
But i figure that the mechanism behind the domainRep is “full text matching”.
I added things like “google.com, 100” into the reputation list, and figured out that there wouldn’t be any alerts printing out with running the command “nslookup www.google.com”, but the command “nslookup google.com” works.

So do you have any suggestions about this? do i have to prepare both the “www.google.com” and “google.com” in this case? Thank you!

The closest thing to achieve this is to use transformations, specifically pcrexform

You would need to transform the query www.google.com to google.com using regex, the resulting value would be the one that gets matched to

This explains the process Alerting on IOCs - #7 by IDSTower

Hi, the ‘pcre’ works good so far. But i figured that the ‘pcreform’ is case-sensitive, but the domains in the dataset that i prepared were all in lower case. It won’t work when some alphabets within the “dns->query->rrname” are of upper-case. What can i do please? Thank you!

My rule is like:
alert dns $HOME_NET any → any any (msg:“DNS Query to Malicious FQDN”; dns.query;pcrexform:"([a-zA-Z0-9\x2d\x5f]+.[a-zA-Z0-9\x2d\x5f]+$)";dataset:isset, My-Domain-Dataset, type string, memcap 10mb, hashsize 1024; classtype: ThreatIntel; sid:1000000; rev:2;)

I couldn’t figure out a way to do this in rules.

And although Transformations can be chained as per the docs, we don’t have a to_lowercase transform.

Maybe post this as a feature request?