Suricata

TLDR;
What if we add a dynamic feature to address-group vars via FQDN strings in the list? Have Suricata resolve and add/remove as ( static +/- ( dynamic +/- updates) ) or whatever works better. In this 'static' is the raw IP items in the address-group, dynamic are the resolved IPs from the FQDN items in the address-group, and updates are the changes from the next DNS resolution run.

The long:
There are several dynamic IP hosts on my network that the local FQDNs are updated for (hostname.homelab.home) and it would be useful to use address-groups of lists of local FQDNs that Suricata would periodically (every 5 minutes - default?) resolve via the OS DNS stack, or this might be done via the Suricata stack via a list of specified DNS Servers. The later might be preferred, as the extra control could be very useful.

This would be useful in my Suricata setup as address-group vars are used in mapping a few bypass rules for specific hosts, and some of the suspicious and HTTP rules have been modified using suricata-update to use address-groups. This cleans up my alerts and lightens the load on Suricata.

The goal then is in addition to the list of IPs and Subnets found in address-group vars, if there could also be included FQDNs that Suricata would then find the IPs (ipv4 and ipv6) for and dynamically update that address-group var according to the new IPs. It might be nice to have an age off time period there too, as well as a setting about how often to update each fqdn enhanced now dynamic list. The update would keep any otherwise now ‘static IP’ or ‘static Subnet’ additions or removals that are part of the address-group.

The alternative is, and it is a bit much, to make a shell script to update the vars in the suricata custom.yaml file for me. My suricata host is FreeBSD and I’ve had the a very difficult time trying to get a shell script that will resolve the IPs for FQDNs and then dynamically update the var entries in custom.yaml. In short, that’s what I’m slowly still after - it is just a tall leap so far.

My thoughts are this might be a really useful feature for many of us, and would mean I could just keep really clean and recognizable address-group vars.

The focus in this request is to resolve local FQDNs as external might have a lot of wiggle and honestly, it would be better to do firewall rules around IPs for external FQDNs. That leaves the dynamic internal items that need specific alignment with specific rules, thus my focus on the local FQDN resolution for my IPv6 (and IPv4) hosts. There likely are a few cases where external resolution would be good and if both (local and remote FQDNs) are allowed to be added that would be just as good if not better.

There's also a chance that by parsing the DNS traffic it listens to, Suricata could 'learn' the FQDNs that are locally present, but I think having it actually resolve the FQNDs itself would be the best course of action.

Thank you for your time in reading this, please consider this upgrade/feature for Suricata 7.