Project

General

Profile

Actions
Copy link

Feature #8124

open

datasets: support subnets

Added by Juliana Fajardini Reichow 2 months ago. Updated 12 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Related issues 1 (1 open0 closed)

Related to Suricata - Task #8123: Suricon 2025 BrainstormAssignedVictor JulienActions
Actions
Copy link
 #1

Updated by Juliana Fajardini Reichow 2 months ago

  • Related to Task #8123: Suricon 2025 Brainstorm added
Actions
Copy link
 #2

Updated by Victor Julien 2 months ago

I think one way to support subnet lookups would be to add a mask transform to the rule lang, so you could do something like ip.src; mask:0xffffff00; datasets:isset, ....

Actions
Copy link
 #3

Updated by Jeff Lucovsky 13 days ago ยท Edited

I've been working on adding a `cidr` type to the datasets.

Here's an example rule:

alert ip any any -> any any (msg:"Traffic from internal network"; ip.src;dataset:isset,internalnetworks,type cidr,load cidr.lst, key ip; sid:1000001;)

The dataset supports IPv4/IPv6 and uses a radix tree for locating the value.

An example dataset

192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
fc00::/7

Would this also satisfy the goal of the issue?

Actions
Copy link
 #4

Updated by Victor Julien 12 days ago

How does it behave wrt concurrency?

Actions
Copy link
 #5

Updated by Jeff Lucovsky 12 days ago

Good question. Given that my proposed solution doesn't have a hashable entity, the concurrency control would have to be applied to the v4 or v6 radix tree. A mitigation would be to have a RW lock with usage geared towards isset operations.

This may be insufficient and a mask approach may be better.

Actions
Copy link

Also available in: Atom PDF