Project

General

Profile

Actions
Copy link

Feature #3430

open
PM OD

make endswith/startswith available to relevant buffers when datasets are used on those

Feature #3430: make endswith/startswith available to relevant buffers when datasets are used on those

Added by Peter Manev over 6 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
-
Effort:
Difficulty:
Label:

Description

Currently datasets can be used as :

alert dns $HOME_NET any -> any any (msg:"Blacklisted domain request"; dns_query; dataset:set,dns.blacklist,type string; sid:333; rev:1; )

but not as with "endswith" 
alert dns $HOME_NET any -> any any (msg:"Blacklisted domain request"; dns_query; dataset:set,dns.blacklist,type string; endswith; sid:333; rev:1; )

while in a regular rule "endswith" for example is available for that buffer

alert dns $HOME_NET any -> any any (msg:"Blacklisted domain request"; dns_query; content:".suspicious.com"; endswith; bypass; sid:111; rev:1; )
Actions
Copy link

Also available in: PDF Atom