Editing Suricata rule to exclude specific string

Suricata version: 6.0.13

OS: 20.04LTS

Source: Security Onion

Good day,

I would like to edit a Suricata rule to exclude a specific string from triggering an alert when found in traffic.

For example, let’s say I have a rule that triggers on the word ‘virus’. It will also trigger on the word ‘virustotal’, although ‘virustotal’ is not suspicious. Therefore, I want to exclude the string ‘virustotal’ from the rule. I have tried using pcre expressions without success. When I implement this, the rule won’t generate any alerts anymore. So, I suspect that there could be a syntax error in my rule. Anyway, I gave it some tries but have not succeeded in achieving this.

Here is the exact rule I am struggling with:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; pcre:"/^((?!win).)*$/smi"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2023_09_20;)

As far as I understand, this rule should not trigger an alert if the string ‘win’ is found in the packet.

My question:

Is there something wrong with my syntax? Also, are there more ways to achieve this without using pcre?

Thanks in advance!

Hi Lucas_C,

A couple of quick notes.

With Emerging Threats signatures if you have questions you can also always open a support case to discuss what you are seeing and share any additional files. (Feedback) (We (ET team) always try to make sure folks are aware of that support option as well as our forum https://community.emergingthreats.net/). Always happy to answer questions here as well though just wanted to make sure to share the other support options as well.

The original signature for reference:
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)

The signature in question is using the TLS parser, this is specified with the tls part of the signature after the word alert. This ensures that we will only be looking at traffic the TLS parser sees and not for example SMTP traffic.

In this signature we are looking for matches on the SNI, using the tls.sni sticky buffer (reference: 8.16. SSL/TLS Keywords — Suricata 8.0.0-dev documentation). With sticky buffers all following content or pcre matches will match in the tls.sni buffer until another sticky buffer is specified.

We are looking for the content:“splashtop.com” in the tls sni with some additional specifics. The TLS SNI content needs to end with “splashtop.com”, hence the endswith keyword (reference: 8.7. Payload Keywords — Suricata 8.0.0-dev documentation)

We are also looking for subdomain matches to splashtop.com, using the dotprefix transformation (reference: 8.9. Transformations — Suricata 8.0.0-dev documentation)

So the first question I have would be do you want to exclude content you are seeing in the tls.sni buffer?

If you are looking to negate content in this signature it would be on a TLS stream not a single packet per se.

If you have pcap or EVE logging that could show us what you are seeing that you want to exclude and can share that could be helpful.

If you don’t want to share in an open forum, feel free to open a support case using the Emerging Threats feedback link above.

JT

Hello JT,

I would like to adjust the rule for the TLS stream. Specifically, if the string ‘win’ is present anywhere in the stream, I would prefer that the alert is not triggered. However, under all other circumstances, I would like the rule to be activated when ‘.splashtop.com’ is detected in the SNI. Thank you for your swift response!

Lucas

Well from what you have mentioned something like the following example should work for what you are looking for:

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; content:!"win"; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)

Here we are negating the content win anywhere in the stream (no sticky buffers used) and letting the tls.sni buffer and content match work as they originally do.

HTH,

JT