Project

General

Profile

Actions

Feature #3848

open

Keep a Reference to Matched Items in Suricata Datasets for Rule-Writing

Added by Felix Ortmann over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

When writing custom rules with datasets one can only consider matches in the entire dataset, but not the matched item itself. So I can check `isset` or `isnotset` when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of an ID or a placeholder to reference the matched item.

This is a feature request to provide a placeholder for matched items in datasets for rule writing. A placeholder could be a variable that takes the value of the matched item like `$match`, which then can be used to write the alert message. Example rule, given a dataset called `dns-sha256-seen`: `alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)`

Actions #1

Updated by Felix Ortmann over 3 years ago

When writing custom rules with datasets one can only consider matches in the entire dataset, but not the matched item itself. So I can check isset or isnotset when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of a placeholder to reference the matched item.

This is a feature request to provide a placeholder for matched items in datasets for rule writing. A placeholder could be a variable that takes the value of the matched item like $match, which then can be used to write the alert message. Example rule, given a dataset called dns-sha256-seen: alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)

Actions

Also available in: Atom PDF