We had discussion about blocking things with DNS like pihole previously, and just recently as I have been testing suricata out, I noticed that it is catching DNS queries and doing DNS blocking! So it seems that Suricat already can do what it is I desire!
Here is an example from my IPS log of a domain I =tried to access that was caught by Suricata:
|Date:||01/12 22:42:48||Name:||ET INFO DNS Query for Suspicious .ml Domain|
|Priority:||2||Type:||Potentially Bad Traffic|
|IP info:||192.168.3.23:49475 -> 192.168.3.1:53|
So I guess perhaps there could be a way to make Suricata rules to do what I wanted to achieve originally? What do people think about this?
Although I am aware I will need to think about DoH as it won’t be caught like this.
But I think given that ipfire already has mechanism to update Suricata rules every day, it would just be a matter to update the PhishArmy rules I make for Suricata every day right?