From reading the online document, i figure that Suricata is able to support IP based reputation list. My question is if Suricata can do the same to a domain name list ? And how please.
Thank you!
1 Like
Yes, Suricata can do this via the Datarep feature for different sticky buffer (aka fields) including domains observed in tls sni, dns queryâŚetc
This blog post explains how to alert on malicious dns queries (IOCs) using Suricata, it explains how the feature works.
hope this helps.
It works, thank you!
I simply appended a base64 domain-name into a list with 'echo -n www.google.com | base64 >> test.lst".
But is it possible to add a reputation-score next to the the domain-name and let the rule to compare & generate alerts of different categories? Thank you in advance!
Yes!, this is done via Datarep feature, the blogpost above explain the dataset feature and not the datarep.
the difference is in the datarep there is reputation attached to domains/hashes/etc, they work almost the same way.
It works fine, thank you!
But i figure that the mechanism behind the domainRep is âfull text matchingâ.
I added things like âgoogle.com, 100â into the reputation list, and figured out that there wouldnât be any alerts printing out with running the command ânslookup www.google.comâ, but the command ânslookup google.comâ works.
So do you have any suggestions about this? do i have to prepare both the âwww.google.comâ and âgoogle.comâ in this case? Thank you!
The closest thing to achieve this is to use transformations, specifically pcrexform
You would need to transform the query www.google.com to google.com using regex, the resulting value would be the one that gets matched to
This explains the process Alerting on IOCs - #7 by IDSTower
Hi, the âpcreâ works good so far. But i figured that the âpcreformâ is case-sensitive, but the domains in the dataset that i prepared were all in lower case. It wonât work when some alphabets within the âdns->query->rrnameâ are of upper-case. What can i do please? Thank you!
My rule is like:
alert dns $HOME_NET any â any any (msg:âDNS Query to Malicious FQDNâ; dns.query;pcrexform:"([a-zA-Z0-9\x2d\x5f]+.[a-zA-Z0-9\x2d\x5f]+$)";dataset:isset, My-Domain-Dataset, type string, memcap 10mb, hashsize 1024; classtype: ThreatIntel; sid:1000000; rev:2;)
I couldnât figure out a way to do this in rules.
And although Transformations can be chained as per the docs, we donât have a to_lowercase transform.
Maybe post this as a feature request?