Project

General

Profile

Actions
Copy link

Feature #8124

open
JF OD

datasets: support subnets

Feature #8124: datasets: support subnets

Added by Juliana Fajardini Reichow 5 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Related issues 1 (1 open0 closed)

Related to Suricata - Task #8123: Suricon 2025 BrainstormAssignedVictor JulienActions

JF Updated by Juliana Fajardini Reichow 5 months ago Actions
Copy link
 #1

  • Related to Task #8123: Suricon 2025 Brainstorm added

VJ Updated by Victor Julien 5 months ago Actions
Copy link
 #2

I think one way to support subnet lookups would be to add a mask transform to the rule lang, so you could do something like ip.src; mask:0xffffff00; datasets:isset, ....

JL Updated by Jeff Lucovsky 3 months ago ยท Edited Actions
Copy link
 #3

I've been working on adding a `cidr` type to the datasets.

Here's an example rule:

alert ip any any -> any any (msg:"Traffic from internal network"; ip.src;dataset:isset,internalnetworks,type cidr,load cidr.lst, key ip; sid:1000001;)

The dataset supports IPv4/IPv6 and uses a radix tree for locating the value.

An example dataset

192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
fc00::/7

Would this also satisfy the goal of the issue?

VJ Updated by Victor Julien 3 months ago Actions
Copy link
 #4

How does it behave wrt concurrency?

JL Updated by Jeff Lucovsky 3 months ago Actions
Copy link
 #5

Good question. Given that my proposed solution doesn't have a hashable entity, the concurrency control would have to be applied to the v4 or v6 radix tree. A mitigation would be to have a RW lock with usage geared towards isset operations.

This may be insufficient and a mask approach may be better.

Actions
Copy link

Also available in: PDF Atom