Feature #3848
openKeep a Reference to Matched Items in Suricata Datasets for Rule-Writing
Description
When writing custom rules with datasets one can only consider matches in the entire dataset, but not the matched item itself. So I can check `isset` or `isnotset` when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of an ID or a placeholder to reference the matched item.
This is a feature request to provide a placeholder for matched items in datasets for rule writing. A placeholder could be a variable that takes the value of the matched item like `$match`, which then can be used to write the alert message. Example rule, given a dataset called `dns-sha256-seen`: `alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)`
Updated by Felix Ortmann about 4 years ago
When writing custom rules with datasets one can only consider matches in the entire dataset, but not the matched item itself. So I can check isset or isnotset when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of a placeholder to reference the matched item.
This is a feature request to provide a placeholder for matched items in datasets for rule writing. A placeholder could be a variable that takes the value of the matched item like $match, which then can be used to write the alert message. Example rule, given a dataset called dns-sha256-seen: alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)
Updated by Philippe Antoine 3 months ago
- Status changed from New to Feedback
- Assignee set to Community Ticket
- Target version set to TBD
Could you get it with PCRE capture ?
likepcre: /.+/,flow:dns_matched_query