Suricata

I don't see how this could work. Datasets are essentially hash tables, where we take the buffer and use it to do a look up.

What would we look up when using endswith?

Say our buffer is 'example.com', would we first lookup 'm' and then 'om' and then 'com' and them '.com' and so on? This is not feasible.

Yes, I was fearing that it should be an exact match only. (and I was going too far :) )

As a test I was looking in particular for an easy way to use datasets to bypass/whitelist domains/dns logs as they are verbose. So as a test example every dns query that ends on “.windowsupdate.com” or “.microsoft.com” or “.mylocalad.net” .

There are other ways to do it for sure (on the tap device/broker or) like when processing logs etc... but since suricata is the first to see it was thinking it would be the earliest point to drop it for example which makes it more efficient to the full chain of processing/ingesting logs.

How do we do it currently if the rule says:

content:”.example.com”; endswith;
?

Currently they are hash tables for exact lookups.