I’m trying to figure out if there is a way to keep a reference to the matched items of a dataset. It does not seem to be possible with Suricata 5.0.3.
My issue is, in particular, that custom rules only consider matches in the entire dataset, but not the matched item itself. So I can check isset
or isnotset
when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of a ID or a placeholder to reference the matched item.
I am looking into this feature to implement some sort of “back reporting” from Suricata to another tool. I plan to manage IoCs dynamically via datasets, then report back matches of those IoCs. Ideally, we could store additional IDs in a dataset, but a clear text reference as described above would do as well.
Any ideas on how we could implement this?
If not already possible, then here are two suggestions for implementation:
-
Store additional fields in the dataset, more like a map or “arrays as values”. Instead of values being in there or not, we could have context around those entries.
key
s could be used to checkisset
andisnotset
, values could then be referenced by that key. -
A simpler approach could be to provide a placeholder for rule writing. A placeholder could be a variable that takes the value of the matched item like
$match
, which then can be used to write the alert message. (example rule:alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)
)