Project

General

Profile

Actions
Copy link

Feature #5639

open

Allow dataset to match on extracted domain

Added by Eric Leblond over 2 years ago. Updated over 1 year ago.

Status:
In Review
Priority:
Normal
Assignee:
Eric Leblond
Target version:
TBD
Effort:
Difficulty:
Label:

Description

When matching on tls.sni or http.host, it is convenient to match on the domain name inside the value instead of matching on the full value. If endswith can be used for one domain in one signature using dataset would be more useful.

Related issues 2 (2 open0 closed)

Related to Suricata - Feature #5681: datasets: add more transform layers to match on domainsNewOISF DevActions
Related to Suricata - Feature #6802: Support Domain rollup using existing dataset libraryNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien over 2 years ago

  • Related to Feature #5681: datasets: add more transform layers to match on domains added
Actions
Copy link
 #2

Updated by Eric Leblond over 1 year ago

We stopped the discussion on which crate to use:
- https://crates.io/crates/publicsuffix
- https://crates.io/crates/psl
What should we do here ?

Both crates are from the same author. Psl has a list built at compile time but it is supposed to be faster than publicsuffix. This last one load a file that will need to be provided by suricata or installer if we want the feature to work out of the box.

Actions
Copy link
 #3

Updated by Jason Ish about 1 year ago

  • Related to Feature #6802: Support Domain rollup using existing dataset library added
Actions
Copy link

Also available in: Atom PDF