Feature #3430
open
make endswith/startswith available to relevant buffers when datasets are used on those
Added by Peter Manev over 4 years ago.
Updated 10 months ago.
Description
Currently datasets can be used as :
alert dns $HOME_NET any -> any any (msg:"Blacklisted domain request"; dns_query; dataset:set,dns.blacklist,type string; sid:333; rev:1; )
but not as with "endswith"
alert dns $HOME_NET any -> any any (msg:"Blacklisted domain request"; dns_query; dataset:set,dns.blacklist,type string; endswith; sid:333; rev:1; )
while in a regular rule "endswith" for example is available for that buffer
alert dns $HOME_NET any -> any any (msg:"Blacklisted domain request"; dns_query; content:".suspicious.com"; endswith; bypass; sid:111; rev:1; )
I don't see how this could work. Datasets are essentially hash tables, where we take the buffer and use it to do a look up.
What would we look up when using endswith?
Say our buffer is 'example.com', would we first lookup 'm' and then 'om' and then 'com' and them '.com' and so on? This is not feasible.
Yes, I was fearing that it should be an exact match only. (and I was going too far :) )
As a test I was looking in particular for an easy way to use datasets to bypass/whitelist domains/dns logs as they are verbose. So as a test example every dns query that ends on “.windowsupdate.com” or “.microsoft.com” or “.mylocalad.net” .
There are other ways to do it for sure (on the tap device/broker or) like when processing logs etc... but since suricata is the first to see it was thinking it would be the earliest point to drop it for example which makes it more efficient to the full chain of processing/ingesting logs.
How do we do it currently if the rule says:
content:”.example.com”; endswith;
?
Are datasets really hash tables ?
I thought they were a big list, sometimes of hashes, sometimes of strings (base64-encoded)
In the last case, this should be feasible...
Currently they are hash tables for exact lookups.
Also available in: Atom
PDF