Feature #5639
open
Allow dataset to match on extracted domain
Added by Eric Leblond about 2 years ago.
Updated 9 months ago.
Description
When matching on tls.sni or http.host, it is convenient to match on the domain name inside the value instead of matching on the full value. If endswith can be used for one domain in one signature using dataset would be more useful.
Related issues
2 (2 open — 0 closed)
- Related to Feature #5681: datasets: add more transform layers to match on domains added
We stopped the discussion on which crate to use:
- https://crates.io/crates/publicsuffix
- https://crates.io/crates/psl
What should we do here ?
Both crates are from the same author. Psl has a list built at compile time but it is supposed to be faster than publicsuffix. This last one load a file that will need to be provided by suricata or installer if we want the feature to work out of the box.
- Related to Feature #6802: Support Domain rollup using existing dataset library added
Also available in: Atom
PDF