Suricata Rule Using Datasets

[Bigelow-Brown]

• Security Onion version: 2.4.80
• Is this a cloud deployment or on-prem? On Prem w/internet access
• Did you install from our Security Onion ISO image or did you perform a network installation? I don’t know
• If network installation, what distro and version did you install on?
• How many nodes do you have? 1
• What are the hardware specs of each of those nodes? I don’t know
• How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
• Are you experiencing issues monitoring network traffic? No
• Does so-status show all services running? Yes
• Do you get any failures when you run sudo salt-call state.highstate? No
• Does the SOC Grid page show any failures? No
• Explain your issue:

I periodically receive a list of malicious domains and I would like to create an alert that I can easily update to show any dns requests made for those domains. From the research I have done, it seems that the best way to do this is to create a dataset that I can edit when I receive the updated intelligence. What is the best way to update suricata.yaml to configure the dataset? I have tried doing it through the SOC by adding the following to suricata > config > advanced:

datasets:
id: test-dns-bl
type: string
state: /opt/datasets/test-dns-bl.list

This update does not seem to be taking, so I assume I am doing it wrong. When I look at suricata.yaml, I do not see an update, nor do I see the date of the file changing. Can this not be configured in the way I am trying to do it? If not, what is the appropriate way?

If there is a better way to accomplish what I am trying to do then please let me know, I have a lot to learn still!

Thank you!

[InfosecGoon]

How many domains are in these updates? How often are you updating them? And how are you monitoring DNS queries (via Zeek parsing of live network traffic or some kind of log ingestion)?

[Bigelow-Brown]

Thanks for the reply! The list is currently just over 1,000 domains, and I receive a new list weekly which will replace the previous list. I am monitoring DNS via Zeek parsing of live network traffic, as you stated.

[InfosecGoon]

For that many domains, you might want to use Zeek Intel: https://docs.securityonion.net/en/2.4/zeek.html#intel

A lot of this rule generation can be automated using something like MISP or another threat intel platform.

[Bigelow-Brown]

I created intel.dat as per the instructions and can see that intel.dat syncs to /opt/so/conf/zeek/policy/intel/, but I do not see intel.log being created. I checked reporter.log and do not see any clues there, and I also restarted zeek. Any other suggestions for getting this to work? Thank you!

[InfosecGoon]

I don't think it creates intel.log until there's an actual hit -- to make sure your formatting is correct, try creating an intel.dat with a single domain directive and then test it by going there (yahoo.com, something like that). It should generate something in event.dataset intel when there's a match.