Hi everyone, I want to use ipset in suricata.rules file. suricata 7.0.0-rc2 version is installed. Here is my rule
Blockquote
alert ip [ipset: youtubeip] any → any any (msg:“Blocked IP detected”; sid:100001;)
and here is error message
Blockquote
Error: detect: failed to parse address “ipset: youtubeip” [DetectAddressSetup:detect-engine-address.c:653]
Error: detect: error parsing signature “alert ip [ipset: youtubeip] any → any any (msg:“Blocked IP detected”; sid:100001;)” from file /var/lib/suricata/rules/suricata.rules at line 11 [DetectLoadSigFile:detect-engine-loader.c:194]
Hi!
I’ll wait for others to answer, I’m not 100% sure but AFAIK, Suricata does not support ipsets like that.
You could use define a range of IPs in your suricata.yaml under a variable name and perhaps use that.
Actually while looking for that, I think I found the better answer to your problem.
Seems like you could use ip.src or ip.dst alongwith a combination of datasets to achieve your goal: 8.39. IP Addresses Match — Suricata 7.0.1-dev documentation
add variable in vars section at suricata.yaml file and its work. But my main purpose is bypass youtube or twitter. I tried to add content:“youtube.com” but it didn’t log all packets. What should be the rule logging all youtube or twitter packets?
if you want to do it by the host, use a combination of http.host sticky buffer and datasets instead of the ip… sticky buffers. See all http sticky buffers if any of them seem relevant: 8.13. HTTP Keywords — Suricata 7.0.1-dev documentation