Feature #8385
opendatasets: add support for subdomain match
Description
Problem
There is currently no way to use datasets to block a domain and all its subdomains. The existing domain; transform extracts the registrable domain (eTLD+1), which is useful for normalization but not for subdomain-level blocklists.
For example, adding mail.evil.com to a dataset and using domain; will never match. The transform reduces a query like sub.mail.evil.com to evil.com before the dataset lookup, and it would not match. Only base domains work with domain; which makes it impossible to maintain subdomain blocklists.
The dotprefix; content; endswith; pattern does handle subdomains correctly, but endswith cannot be combined with a dataset.
Proposal
Add a match subdomain option to the dataset keyword. When set, the lookup walks up the domain hierarchy checking each level against the dataset until a match is found.
Example rule:
reject dns any any -> any any (msg:"Blocked domain"; dns.query; dotprefix; dataset:isset,blocked-domains,type string,match subdomain,load blocked-domains.lst; sid:1; rev:1;)
With .mail.evil.com in the dataset, this matches mail.evil.com , sub.mail.evil.com , etc.
https://redmine.openinfosecfoundation.org/issues/6802 mentions something similar to this.
Updated by Antoine abf 5 days ago
- Related to Feature #6802: Support Domain rollup using existing dataset library added
Updated by Antoine abf 5 days ago
- Target version changed from 9.0.0 to 9.0.0-beta1
Updated by Antoine abf 3 days ago
Updated by Shivani Bhardwaj 2 days ago
- Subject changed from Dataset Subdomain Match to datasets: add support for subdomain match
- Status changed from New to In Review