Why not leverage Suricata datasets for IoC rules?

Why are IoC rulesets such as in ciarmy.rules still using regular Suricata rules?

Wouldn’t it be much more efficient to use Suricata datasets for matching a huge number of IoCs?

Or what am I missing?

1 Like

Thanks @chilton for your question. Currently these publicly-sourced rules are generated to be somewhat engine-agnostic when output. As such, supporting datasets in isolation as a solution for these rules means they wouldn’t be able to be used for Snort customers & community users.

That’s not a reason to never pursue datasets as an option for Suricata, though. We’re currently going through internal triaging of various engineering-intensive product offerings and features. Pursuing support for dataset-based IOC rules across the entire ruleset (not just auto-generated rules) is on that list. It will lead to a few changes to the rulesets in the future. For example: individual IOC-based signatures will have a Snort SID which simply will not exist for our Suricata set because it would be gathered into an ‘overall’ dataset-based SID.

As we make these changes in the future we will be transparent about the release window. In short, I’ll simply say datasets are definitely an option for these rules and we’ll be excited to offer them in the future.