Feature #3849
closedExtend Suricata Datasets to Datamaps with Keys and Values
Description
I am looking to implement some sort of “back reporting” from Suricata to another tool. I plan to manage IoCs dynamically via datasets, then report back matches of those IoCs. This is a feature request to store additional values, i.e., IDs, in a dataset, much like a map or even “arrays as values”.
Instead of entries being in a set or not, we could have values assigned to each entry. keys could be used to implement the functions isset and isnotset, values could then be referenced by that key.
Example: There is a dataset called evil-domains, in it are keys and values like evil.com (key) -> 12345 (value).
Suricata rule-writing would not change in syntax, the checks isset and isnotset could be used the same way. But when hooking alerts via the Lua scripting engine, it would be handy to have the matched key (evil.com) and its value (12345) provided in the hooks' context.
Updated by Philippe Antoine over 1 year ago
- Assignee set to Community Ticket
- Target version set to TBD
Updated by Jason Ish 16 days ago
- Related to Feature #7372: datajson: a dataset evolution added
Updated by Victor Julien 16 days ago
I think dataset json support (#7372) would satisfy this. Let me know if you disagree.
Updated by Victor Julien 16 days ago
- Status changed from New to Closed
- Assignee deleted (
Community Ticket) - Target version deleted (
TBD)