Help with datasets and DNS

Rules
1

Hi guys,
I am using Suricata 6.0.0 and I want to setup rule with dataset for DNS requests.

Here is my setup:

Rule:
alert dns any any → any any (msg:“DNS Query BLACKLISTED DOMAIN”;dns.query;to_sha256;dataset:isset,bad-domain;sid:900002; rev:1; )

Suricata.yml:
datasets:
bad-domain:
type: sha256
load: /etc/suricata/rules/domains_blck.lst
memcap: 100mb

domains_blck.lst: (one value sha256 for test.xyz)
b682109cba2ce81a7a25d8979eb5860b9be131d24ff6b2dd6c210d9e5c6dcd59

However when I do request for test.xyz there is no alert and no errors in the log for it.

What am I doing wrong ?

2

Does the dns record generated ("evet_type":"dns") match the domain ? (and subsequently the sha256?)

3

Hi Peter,

it does:
“dns”:{“type”:“query”,“id”:32445,“rrname”:“test.xyz”,“rrtype”:“A”,“tx_id”:0}

However I changed the hash in the file with:
echo -n test.xyz | sha256sum
4d09faeba081444a05f1d8da8bf9625de41970cb6aacee57858b5bdec347cf04 -

but still no success.

Btw how exactly Suricata checks it, if test.xyz works, will abc.test.xyz alert ?

4

I just want to say that I get the same results.

datasets:
   # Default fallback memcap and hashsize values for datasets in case these
   # were not explicitly defined.
   defaults:
     memcap: 100mb
     hashsize: 2048
   test:
     type: sha256
     load: /etc/suricata/test.list

Creating the list:
echo -n "test.xyz" | sha256sum | awk '{print $1}' > test.list
The test rule:
alert dns any any -> any any (msg:"testrule"; dns_query; to_sha256 dataset:isset,test; sid:1;)

I tried changing the type to string and doing echo -n test.xyz | base64 > test.list instead and using type:string and removing to_sha256. That works.

Tested using the jason ish docker container running 6.0.2

5

In general if the rrname matches it will and should alert.
If you test with base64 than you need to remove the to_sha256 from the rule though (and adjust the type to string in the yaml config as well) - just for record keeping , you might have already done it.
Can you try a basic test - match on the domain without any datasets , just regular rule based domain match - just to confirm everything is ok with the setup.

6

My bad. I did a double take and I must have missed something.
This works for me now.
Same hash in the list, type: sha256 and alert dns any any -> any any (msg:"testrule"; dns_query; to_sha256; dataset:isset,test; sid:1;) in the rulefile.

7

Glad to hear it is working now.Thank you for the feedback.

8

Is there a way to get how many entries against each dataset actually has been loaded? Some data may be bad, which get rejected by suricata. It will be really helpful to know how many data actually got loaded in the engine.