How to use ipset in suricata.rules

Hi everyone, I want to use ipset in suricata.rules file. suricata 7.0.0-rc2 version is installed. Here is my rule

alert ip [ipset: youtubeip] any → any any (msg:“Blocked IP detected”; sid:100001;)

and here is error message

Error: detect: failed to parse address “ipset: youtubeip” [DetectAddressSetup:detect-engine-address.c:653]
Error: detect: error parsing signature “alert ip [ipset: youtubeip] any → any any (msg:“Blocked IP detected”; sid:100001;)” from file /var/lib/suricata/rules/suricata.rules at line 11 [DetectLoadSigFile:detect-engine-loader.c:194]

Any help would be great. Thanks.

I’ll wait for others to answer, I’m not 100% sure but AFAIK, Suricata does not support ipsets like that.
You could use define a range of IPs in your suricata.yaml under a variable name and perhaps use that.

Hi Shivani,

Can you share example or documentary about this definition?
Thanks a lot.

Actually while looking for that, I think I found the better answer to your problem.
Seems like you could use ip.src or ip.dst alongwith a combination of datasets to achieve your goal: 8.39. IP Addresses Match — Suricata 7.0.1-dev documentation


I’ll try and update this thread. Thanks.

add variable in vars section at suricata.yaml file and its work. But my main purpose is bypass youtube or twitter. I tried to add content:“” but it didn’t log all packets. What should be the rule logging all youtube or twitter packets?

if you want to do it by the host, use a combination of sticky buffer and datasets instead of the ip… sticky buffers. See all http sticky buffers if any of them seem relevant: 8.13. HTTP Keywords — Suricata 7.0.1-dev documentation