Domain name reputation

xifeng · December 30, 2021, 6:26am

From reading the online document, i figure that Suricata is able to support IP based reputation list. My question is if Suricata can do the same to a domain name list ? And how please.
Thank you!

IDSTower · January 2, 2022, 6:16pm

Yes, Suricata can do this via the Datarep feature for different sticky buffer (aka fields) including domains observed in tls sni, dns query…etc

This blog post explains how to alert on malicious dns queries (IOCs) using Suricata, it explains how the feature works.

hope this helps.

xifeng · January 4, 2022, 9:04am

It works, thank you!

I simply appended a base64 domain-name into a list with 'echo -n www.google.com | base64 >> test.lst".

But is it possible to add a reputation-score next to the the domain-name and let the rule to compare & generate alerts of different categories? Thank you in advance!

IDSTower · January 4, 2022, 2:47pm

Yes!, this is done via Datarep feature, the blogpost above explain the dataset feature and not the datarep.

the difference is in the datarep there is reputation attached to domains/hashes/etc, they work almost the same way.

xifeng · January 7, 2022, 7:30am

It works fine, thank you!
But i figure that the mechanism behind the domainRep is “full text matching”.
I added things like “google.com, 100” into the reputation list, and figured out that there wouldn’t be any alerts printing out with running the command “nslookup www.google.com”, but the command “nslookup google.com” works.

So do you have any suggestions about this? do i have to prepare both the “www.google.com” and “google.com” in this case? Thank you!

IDSTower · January 7, 2022, 7:47am

The closest thing to achieve this is to use transformations, specifically pcrexform

You would need to transform the query www.google.com to google.com using regex, the resulting value would be the one that gets matched to

IDSTower · January 7, 2022, 7:49am

This explains the process Alerting on IOCs - #7 by IDSTower

xifeng · January 26, 2022, 5:44am

Hi, the ‘pcre’ works good so far. But i figured that the ‘pcreform’ is case-sensitive, but the domains in the dataset that i prepared were all in lower case. It won’t work when some alphabets within the “dns->query->rrname” are of upper-case. What can i do please? Thank you!

My rule is like:
alert dns $HOME_NET any → any any (msg:“DNS Query to Malicious FQDN”; dns.query;pcrexform:"([a-zA-Z0-9\x2d\x5f]+.[a-zA-Z0-9\x2d\x5f]+$)";dataset:isset, My-Domain-Dataset, type string, memcap 10mb, hashsize 1024; classtype: ThreatIntel; sid:1000000; rev:2;)

IDSTower · January 27, 2022, 1:28pm

I couldn’t figure out a way to do this in rules.

And although Transformations can be chained as per the docs, we don’t have a to_lowercase transform.

Maybe post this as a feature request?

Topic		Replies	Views
Detecting DNS lookup and follow on connections Help	3	881	May 19, 2021
Suricata IP Reputation / Blacklisting Help	2	729	February 10, 2022
Help with datasets and DNS Rules	7	1359	March 11, 2024
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain - filter out known FQDN? Help suricata	4	1162	August 31, 2022
Dns.query and dataset Rules	11	4328	November 29, 2020

Domain name reputation

Related Topics