Project

General

Profile

Actions

Feature #2200

closed

Dynamically add md5 to blacklist without full restart

Added by Scott Macgregor over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I would like to see a feature to add blacklist hash entries dynamically.

One client to this api addition could be suricatasc, similar to adding host bits. Currently the file blacklist is loaded into memory but is not exposed for modifications.

Possible use cases could be:

Open suricatasc add new blacklist entry immediately

Add in new IOCs via 3rd party STIX file, and add them without human intervention using this new api function in python.

Connect detection sandboxes to suricata via the file carving and add identified new malware to the network ids on the fly.

Actions #1

Updated by Andreas Herz over 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD

Are you interested to work on that?

Actions #2

Updated by Mikael Keri about 7 years ago

As there no up vote functionality, I will add this comment instead. I would also like to see this being implemented, it would add a lot of benefit now having to SIG HUP Suricata everytime I add new Black and Whitelist entry. What I could offer is to test it and provide feedback, if and when it gets implemented.

Actions #3

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anonymous to Victor Julien

Working on something.

Actions #4

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 5.0rc1

In 5.0, this can be done using:

file.md5; dataset:isset,<setname>, type md5;

Then over unix socket:
dataset-add <setname> md5 <hex notation of md5>

Actions

Also available in: Atom PDF