We have had a burst of activity for the rule shown below. So I added 2014702 and 2014703 to our drop.conf file, reloaded Suricata. Nothing changed. I restarted Suricata. Nothing changed.
Other entries in the drop file continue to block SIDs.
I am rather at a loss as to what the problem is.
07/17/2022-12:25:39.667756 [**] [1:2014703:11] ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.69.246:53 -> 136.152.1.37:56709
Here are the entries in drop.conf. The regular expression was a second attempt.
re:201470[0-9] # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port
# 2014702 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
# 2014703 # ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set [**]
Did you run Suricata-Update after modifying drop.conf? If so, can you confirm the rules did in fact get converted to drop by looking in /var/lib/suricata/rules/suricata.rules (assuming default install locations)?
For what it’s worth, the two ET signatures in question, 2014702 and 2014703 were modified recently and it caused some unintended behavior. The signatures were updated again yesterday (2022-07-19) to ideally resolve the issues at least most folks were seeing.
Greetings, I notice you’ve run into an issue with these two SIDs, this is related to an issue we had over the weekend with a rule update on Friday which persisted until yesterday (Monday).