Feature #2200
closedDynamically add md5 to blacklist without full restart
Description
I would like to see a feature to add blacklist hash entries dynamically.
One client to this api addition could be suricatasc, similar to adding host bits. Currently the file blacklist is loaded into memory but is not exposed for modifications.
Possible use cases could be:
Open suricatasc add new blacklist entry immediately
Add in new IOCs via 3rd party STIX file, and add them without human intervention using this new api function in python.
Connect detection sandboxes to suricata via the file carving and add identified new malware to the network ids on the fly.
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Are you interested to work on that?
Updated by Mikael Keri about 7 years ago
As there no up vote functionality, I will add this comment instead. I would also like to see this being implemented, it would add a lot of benefit now having to SIG HUP Suricata everytime I add new Black and Whitelist entry. What I could offer is to test it and provide feedback, if and when it gets implemented.
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Victor Julien
Working on something.
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 5.0rc1
In 5.0, this can be done using:
file.md5; dataset:isset,<setname>, type md5;
Then over unix socket:
dataset-add <setname> md5 <hex notation of md5>