Hello,
We had discussion about blocking things with DNS like pihole previously, and just recently as I have been testing suricata out, I noticed that it is catching DNS queries and doing DNS blocking! So it seems that Suricat already can do what it is I desire!
Here is an example from my IPS log of a domain I =tried to access that was caught by Suricata:
Date: | 01/12 22:42:48 | Name: | ET INFO DNS Query for Suspicious .ml Domain |
---|---|---|---|
Priority: | 2 | Type: | Potentially Bad Traffic |
IP info: | 192.168.3.23:49475 -> 192.168.3.1:53 | ||
References: | none found | SID: | 2025106 |
So I guess perhaps there could be a way to make Suricata rules to do what I wanted to achieve originally? What do people think about this?
Although I am aware I will need to think about DoH as it won’t be caught like this.
But I think given that ipfire already has mechanism to update Suricata rules every day, it would just be a matter to update the PhishArmy rules I make for Suricata every day right?