Address-group arrays with AND instead of OR?

pirx · April 11, 2024, 12:30pm

Just installed Suricata (6.0.10) from apt in Debian 12. Might upgrade to a newer Suricata soon, but for now i run with what apt provides.

For instance, the HOME_NET variable in suricata.yaml can be an array, like this

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Thats implicitly OR between those nets.

What if i wanted an AND? Possibly even with a negated value, is that possible?

For instance something like this

EXTERNAL_NET: "!$HOME_NET"
YAHOO: "1.2.3.0/24"
EXT_NOT_YAHOO: "[$EXTERNAL_NET _and_ !$YAHOO]"

Does that make sense? If possible, how do i write that?
12.1. Suricata.yaml — Suricata 8.0.0-dev documentation does not mention such cases.

Then, i would use this to alter some rules

From:
alert http $HOME_NET any -> $EXTERNAL_NET any ...
To:
alert http $HOME_NET any -> $EXT_NOT_YAHOO any ...

Yahoo is just an example:)

Andreas_Herz · April 25, 2024, 6:39pm

It’s just a list, so if there is a check for HOME_NET as long as one of the IPs is one of those listed the signature would match (given the case that all the rest of the signature matches as well).

As you can see with EXTERNAL_NET negation is working. So you could try `EXT_NOT_YAHOO:“[$EXTERNAL_NET,!$YAHOO]”.

pirx · April 26, 2024, 8:03am

Yes, but it sounds like that would match “ext_net” OR “not yahoo”.

What i am looking for is “ext_net” AND(but) “not yahoo”

Andreas_Herz · July 31, 2024, 8:02pm

Did you actually try the example?

Topic		Replies	Views
Excluding VARS from HOME_NET & EXTERNAL_NET Rules	1	1221	February 27, 2021
$HOME_NET in suricata rule ignored? Rules rules , suricata	2	310	December 18, 2023
Issue with variable in suricata.yaml port-groups Rules	4	440	May 18, 2023
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	663	February 19, 2021
Only getting alerts if $home_net and $external_net are set to "any" Help	1	1546	October 14, 2020

Address-group arrays with AND instead of OR?

Related topics