Feature #2200
closed
Dynamically add md5 to blacklist without full restart
Added by Scott Macgregor about 7 years ago.
Updated about 5 years ago.
Description
I would like to see a feature to add blacklist hash entries dynamically.
One client to this api addition could be suricatasc, similar to adding host bits. Currently the file blacklist is loaded into memory but is not exposed for modifications.
Possible use cases could be:
Open suricatasc add new blacklist entry immediately
Add in new IOCs via 3rd party STIX file, and add them without human intervention using this new api function in python.
Connect detection sandboxes to suricata via the file carving and add identified new malware to the network ids on the fly.
- Assignee set to Anonymous
- Target version set to TBD
Are you interested to work on that?
As there no up vote functionality, I will add this comment instead. I would also like to see this being implemented, it would add a lot of benefit now having to SIG HUP Suricata everytime I add new Black and Whitelist entry. What I could offer is to test it and provide feedback, if and when it gets implemented.
- Status changed from New to Assigned
- Assignee changed from Anonymous to Victor Julien
- Status changed from Assigned to Closed
- Target version changed from TBD to 5.0rc1
In 5.0, this can be done using:
file.md5; dataset:isset,<setname>, type md5;
Then over unix socket:
dataset-add <setname> md5 <hex notation of md5>
Also available in: Atom
PDF