Suricata version: 6.0.13
Source: Security Onion
I would like to edit a Suricata rule to exclude a specific string from triggering an alert when found in traffic.
For example, let’s say I have a rule that triggers on the word ‘virus’. It will also trigger on the word ‘virustotal’, although ‘virustotal’ is not suspicious. Therefore, I want to exclude the string ‘virustotal’ from the rule. I have tried using pcre expressions without success. When I implement this, the rule won’t generate any alerts anymore. So, I suspect that there could be a syntax error in my rule. Anyway, I gave it some tries but have not succeeded in achieving this.
Here is the exact rule I am struggling with:
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; pcre:"/^((?!win).)*$/smi"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2023_09_20;)
As far as I understand, this rule should not trigger an alert if the string ‘win’ is found in the packet.
Is there something wrong with my syntax? Also, are there more ways to achieve this without using pcre?
Thanks in advance!