TLDR;
What if we add a dynamic feature to address-group vars via fqdn strings in the list? Have Suricata resolve and add/remove as ( static +/- ( dynamic +/- updates) ) or whatever works better.
The long:
There are several dynamic IP hosts on my network that the local FQDNs get updated for (hostname.homelab.home) and it would be useful to use address-groups of lists of local FQDNs that Suricata would periodically resolve according to the OS DNS stack or in Suricata stack via a list of specified DNS Servers. The later might be preferred, as the extra control could be very useful.
The vars are used in mapping a few bypass rules, as well as some of the suspicious and HTTP rules have been modified using suricata-update to use address-groups.
In addition to the list of IPs found in address-group vars, if there could also include FQDNs that Suricata would find the IPs (ipv4 and ipv6) for and dynamically update that address-group var according to the new IPs. It might be nice to have an age off time period there too, as well as a setting about how often to update each fqdn enhanced now dynamic list. The update would keep any otherwise now ‘static IP’ or ‘static Subnet’ additions or removals that are part of the address-group.
The alternative is, and it is a bit much, to make a shell script to update the vars in the suricata custom.yaml file for me. The host is FreeBSD and I’ve had the darndest time trying to get a shell script that will resolve the IPs for the FQDNs and then dynamically update the var entries in custom.yaml. In short, that’s what I’m slowly still after - it is just a tall leap so far.
My thoughts are this might be a really useful feature for many of us, and would mean I could just keep really clean and recognizable address-group vars.
