Suricata dataset configuration

[JW7173]

I am trying to get the suricata dataset to work with security onion 2.4.120

I add the following to suricata\advanced settings in soc configuration

suricata:
config:
datasets:
defaults:
memcap: 100mb
hashsize: 2048
rules:
allow-absolute-filenames: true
allow-write: true
ipaddr-seen:
type: ipv4
state: ipaddr-seen.lst

I can see that the text is added to the suricata.yaml file.
When I look in the suricata log I get the following error.

E: datasets: fopen '/var/lib/suricata/data/ipaddr-seen.lst' failed: Permission denied

When I look at the filesystem the folders suricata/data do not exist.
I edited the config.sls file to add these folders.

suridata1dir:
file.directory:
- name: /var/lib/suricata/data
- user: 940
- group: 939
- mode: 770
- makedirs: True

The folders is created but I still get the error

E: datasets: fopen '/var/lib/suricata/data/ipaddr-seen.lst' failed: Permission denied
i: detect-dataset: Allowing absolute filename for dataset rule: /var/lib/suricata/data/ipaddr-seen.lst
E: datasets: fopen '/var/lib/suricata/data//var/lib/suricata/data/ipaddr-seen.lst' failed: Permission denied
E: detect-dataset: failed to set up dataset 'ipaddr-seen'.

Anyone else has the same issue?

[dougburks]

I haven't tried to use the Suricata dataset feature. You might be able to do something similar with Zeek Intel:
https://docs.securityonion.net/en/2.4/zeek.html#intel

[JW7173]

Thanks for the reply!

I want to use dataset because of the “recording possibility”.

Save IP4 address to file for a couple of days
alert tcp any any -> any any (msg:"IP saved"; ip.src; dataset:set,ipaddr-seen, type ipv4, state ipaddr-seen.lst; sid:200056; rev:1;)

Then use the following rules to trigger on content in the file.

Alert on IP in or not in file
alert tcp any any -> any any (msg:"IP in ipaddr-seen file"; ip.src; dataset:isset,ipaddr-seen; sid:200062; rev:1;)
alert tcp any any -> any any (msg:"IP not in ipaddr-seen file (New IP seen)"; ip.src; dataset:isnotset,ipaddr-seen; sid:200063; rev:1;)

It is working in suricata software but not in suricata software in security onion.

Best regards.

[presianbg]

Hi,

Do you managed to solve this?
Looks like datasets is the way to have alerts based on threat intel:
https://docs.suricata.io/en/suricata-7.0.9/rules/datasets.html#datasets

We should be able to do it somehow.

Cheers,
PY

[presianbg]

@JW7173 you do not have to change the suricata configuration, its optional. You can set the conf params in the rule itself.
For the locations of the dataset files, you have to take this under consideration:

So my best guess is to use the absolute paths in the load rule, but be careful if you decide to go with allow-absolute-filenames for the state / save actions and absolute paths, because:

[presianbg]

Just tested it and all I can say is that it works quite well for the load action.

[JW7173]

That’s perfect then we have the same functionality as the Zeek intel function!
So now there is only the state method that needs to fixed so we are able to record traffic in file.
This feature if we get it to work in security onion would be perfect to use in airgap system and networks with little changes.
For example, record ssl certificates, user agents, dns query’s, ldap querys etc. Every thing of this is working in suricata but not in security onion suricata.