Address-group arrays with AND instead of OR?

pirx · April 11, 2024, 12:30pm

Just installed Suricata (6.0.10) from apt in Debian 12. Might upgrade to a newer Suricata soon, but for now i run with what apt provides.

For instance, the HOME_NET variable in suricata.yaml can be an array, like this

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Thats implicitly OR between those nets.

What if i wanted an AND? Possibly even with a negated value, is that possible?

For instance something like this

EXTERNAL_NET: "!$HOME_NET"
YAHOO: "1.2.3.0/24"
EXT_NOT_YAHOO: "[$EXTERNAL_NET _and_ !$YAHOO]"

Does that make sense? If possible, how do i write that?
12.1. Suricata.yaml — Suricata 8.0.0-dev documentation does not mention such cases.

Then, i would use this to alter some rules

From:
alert http $HOME_NET any -> $EXTERNAL_NET any ...
To:
alert http $HOME_NET any -> $EXT_NOT_YAHOO any ...

Yahoo is just an example:)

Andreas_Herz · April 25, 2024, 6:39pm

It’s just a list, so if there is a check for HOME_NET as long as one of the IPs is one of those listed the signature would match (given the case that all the rest of the signature matches as well).

As you can see with EXTERNAL_NET negation is working. So you could try `EXT_NOT_YAHOO:“[$EXTERNAL_NET,!$YAHOO]”.

pirx · April 26, 2024, 8:03am

Yes, but it sounds like that would match “ext_net” OR “not yahoo”.

What i am looking for is “ext_net” AND(but) “not yahoo”

Topic		Replies	Views
Excluding VARS from HOME_NET & EXTERNAL_NET Rules	1	971	February 27, 2021
$HOME_NET in suricata rule ignored? Rules rules , suricata	2	230	December 18, 2023
Question about OR, AND Operator Logical Rules	2	219	June 7, 2023
Modify.conf question Rules	2	450	November 25, 2021
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	589	February 19, 2021

Address-group arrays with AND instead of OR?

Related Topics