Reputation: 29
Custom Suricata Rules with Datasets of URL Domains in Base64
Any help appreciated on where I am being dumb here?
Trying to configure a custom IDS rule in Suricata using a Dataset (which is an .lst file of base64-encoded domains)
Following this article by IDS tower
Additional Suricata docs: https://suricata.readthedocs.io/en/latest/rules/datasets.html#dataset https://suricata.readthedocs.io/en/latest/rules/datasets.html?highlight=dataset#dataset
I have tried a bunch of changes and testing, ultimately my rule looks as follows:
alert dns $HOME_NET any -> any any (msg:"DNS Query to Malicious FQDN"; dns.query; dataset:isset, domains_iocs, type string, load /etc/suricata/rules/domains_threatfox_base64.lst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:1234567891;)
This file is included within my suricata.yaml config file, both the custom rule itself and the dataset is within /etc/suricata/rules directory
Dry run of Suricata config:
suricata -c /etc/suricata/suricata.yaml -i <interface>
Results in the following not very verbose error of:
8/8/2022 -- 23:53:16 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> any any (msg:"DNS Query to Malicious FQDN"; dns.query; dataset:isset, domains_iocs, type string, load /etc/suricata/rules/domains_threatfox_base64.lst, memcap 10mb, hashsize 1024; classtype: trojan-activity; sid:1234567891;)" from file /etc/suricata/rules/ads-ioc-dataset.rules at line 1
TYIA!
Upvotes: 0
Views: 1145
Answers (1)
Reputation: 26
Hello from IDSTower Developer :)
The Rule syntax is correct and it seems that Suricata is not printing the most useful error message, what you need to check is the following:
verify that the IOCs list file contained in the rule exists by running
ls -lah /etc/suricata/rules/domains_threatfox_base64.lst
verify that the IOCs list file contained in the rule is accessible by suricata, the file should be owned by suricata (assuming default installation here)
sudo chown suricata:suricata /etc/suricata/rules/domains_threatfox_base64.lst
sudo chmod 644 /etc/suricata/rules/domains_threatfox_base64.lst
Upvotes: 0
Related Questions
- How to create a conditionnal column that carry the URL of a dataframe using Pandas
- Dynamic dataset url in Apache Superset with Apache Drill
- Data Studio calculated field: how to extract domain from url
- How to define pattern in mapping rules for url path parameter
- Issues with custom URLRewrite rules in 7.9
- Regex PCRE matching on an URL with multiple parameters random values
- Decoding a base64 url in Google Analytics
- regex url pattern, http https in R
- Create custom rules with params through API
- Apply a data-rule format to the request-parameters dataset?