Hi guys,
I attempted to modify the rule to use the raw 32 bit number in the ipv4.hdr. The problem is that I am not trying to check match for a single number specified within the rule, but against one or more lists with several IPs.
Can you please show me a valid transformation for the rule to dynamically convert IP address within ipv4.hdr into a nice dotted quad notation?
drop ip any any -> any any (msg:"TEST Bad IP Dataset"; ipv4.hdr; dataset:isset,test-badip64,type string,load /etc/suricata/rules/test-badip64.lst; classtype:bad-ip; sid:10; rev:1;)
Or perhaps should I convert each item within the dataset to be a raw 32 bit number, then convert the list to a base64 file?
Thanks