- Zoom-Webinar am 14.04.2022 von Peter Manev, OISF
- Erzeuge einen Alarm, wenn es eine Übereinstimmung zwischen DNS query und dataset gibt.
- Es können auch Transformations erfolgen, bspw. DNS query gegenüber einer md5 Blacklist prüfen.
- Das suricata-verify Repository enthält einige Beispiele zu Datasets.
- SELKS / Scirius sollten wir uns unbedingt anschauen.
Datasets can be used to:
- Plug in millions of IoCs
- into sticky buffers for matching
Show all sticky-buffers by: suricata --list-keywords=all
- Match against a list of known bad domains: https://data.netlab.360.com/dga/
- Match on what is not in the Alexa Top 1 Million domains: https://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip
- IOC-Liste bauen:
netlab360.domainsbzw.top-1m.domains - Nach base64 konvertieren:
top-1m-b64.dataset(unklar ob wirklich notwendig) - In Regelsatz auf Dataset verweisen:
alert dns $HOME_NET any -> any any (msg:"Sn DGA domains from netlab360"; flow:established,to_server; dns.query; dataset:isset,netlab360-dataset,type string,memcap 150mb,hashsize 1000000,load netlab360.domains; classtype unknown; sid:1000000; rev:1; metadata: created_at 2022_04_08, updated_at 2022_04_08;) alert dns any any -> any any (msg:"Non common Domain DNS queries"; dns.query; dataset:isnotset,known-top1m.dns,type string,load top-1m-b64.dataset,memcap 150mb,hashsize 1000000; sid:1000001; rev:1; metadata: created_at 2022_04_08, updated_at 2022_04_08;) - Kann mit suricata-update aktualisiert werden.
-
Q: How are duplicates handled in the datasets? Are they recognized?
A: There will be no error by suricata, but it will be better to clean it up before by scripts.
-
Q: Are there any differences regarding performance when having one large dataset list in one single rule compared to having multiple smaller lists in multiple rules?
A: Depends on the use case, but there should not be any known negative performance impact.