Feature #3848
open
Keep a Reference to Matched Items in Suricata Datasets for Rule-Writing
Added by Felix Ortmann over 4 years ago.
Updated 4 months ago.
Description
When writing custom rules with datasets one can only consider matches in the entire dataset, but not the matched item itself. So I can check `isset` or `isnotset` when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of an ID or a placeholder to reference the matched item.
This is a feature request to provide a placeholder for matched items in datasets for rule writing. A placeholder could be a variable that takes the value of the matched item like `$match`, which then can be used to write the alert message. Example rule, given a dataset called `dns-sha256-seen`: `alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)`
When writing custom rules with datasets one can only consider matches in the entire dataset, but not the matched item itself. So I can check isset
or isnotset
when writing a custom rule. But when I then create an alert from that rule I’m missing some kind of a placeholder to reference the matched item.
This is a feature request to provide a placeholder for matched items in datasets for rule writing. A placeholder could be a variable that takes the value of the matched item like $match
, which then can be used to write the alert message. Example rule, given a dataset called dns-sha256-seen
: alert dns any any -> any any (msg:”evil entry $matched discovered”; dns.query; to_sha256; dataset:isset,dns-sha256-seen; sid:123; rev:1;)
- Status changed from New to Feedback
- Assignee set to Community Ticket
- Target version set to TBD
Could you get it with PCRE capture ?
like
pcre: /.+/,flow:dns_matched_query
Also available in: Atom
PDF