How can datarep work with subdomain?

hello, I use datarep to detect the domains in my blacklist.
I have a blacklist file like below

cGh4bWZnLmNv,300,phxmfg.co
bW9kZXJubWVhZG93LmNv,300,modernmeadow.co
bHNvcGxleGlzLmNvbQ==,300,lsoplexis.com

and below is the rule which were written with reference to the documents here

alert dns any any -> any any (msg:"dns blacklist detected"; dns.query; datarep:dns_string, >, 200, load /home/test/domain.blacklist, type string; classtype:test;sid:12345678;)

But it doesn’t work with the subdomain, how to make it effective for subdomains.

I think @Regit is working on this…

So is there no better solution at present? :cold_sweat:

By the way, you mean dataset, not datarep, right ?

no, I mean datarep, dataset is also OK, as long as it can implement this function.

1 Like