Feature #3849
openExtend Suricata Datasets to Datamaps with Keys and Values
Description
I am looking to implement some sort of “back reporting” from Suricata to another tool. I plan to manage IoCs dynamically via datasets, then report back matches of those IoCs. This is a feature request to store additional values, i.e., IDs, in a dataset, much like a map
or even “arrays as values”.
Instead of entries being in a set or not, we could have values assigned to each entry. keys
could be used to implement the functions isset
and isnotset
, values
could then be referenced by that key
.
Example: There is a dataset called evil-domains
, in it are keys and values like evil.com
(key) -> 12345
(value).
Suricata rule-writing would not change in syntax, the checks isset
and isnotset
could be used the same way. But when hooking alerts
via the Lua scripting engine, it would be handy to have the matched key (evil.com
) and its value (12345
) provided in the hooks' context.
Updated by Philippe Antoine 6 months ago
- Assignee set to Community Ticket
- Target version set to TBD