Project

General

Profile

Actions

Feature #3849

open

Extend Suricata Datasets to Datamaps with Keys and Values

Added by Felix Ortmann over 4 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

I am looking to implement some sort of “back reporting” from Suricata to another tool. I plan to manage IoCs dynamically via datasets, then report back matches of those IoCs. This is a feature request to store additional values, i.e., IDs, in a dataset, much like a map or even “arrays as values”.

Instead of entries being in a set or not, we could have values assigned to each entry. keys could be used to implement the functions isset and isnotset, values could then be referenced by that key.

Example: There is a dataset called evil-domains, in it are keys and values like evil.com (key) -> 12345 (value).

Suricata rule-writing would not change in syntax, the checks isset and isnotset could be used the same way. But when hooking alerts via the Lua scripting engine, it would be handy to have the matched key (evil.com) and its value (12345) provided in the hooks' context.

Actions

Also available in: Atom PDF