Hi,
I want to exclude specific IP(different source and destination IP) from $EXTERNAL_NET and $HOME_NET variable for this specific signature 2018959 , with the below syntax I can exclude from either $EXTERNAL_NET or $HOME_NET but I need to exclude it from both the network. Can somebody help on that ?
Sample rule → which I tried and its working
2018959 “\$HOME_NET” “[$HOME_NETT,!10.x.x.x]”
alert http $EXTERNAL_NET any → $HOME_NET any (msg:“ET POLICY PE EXE or DLL Windows file download HTTP”; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:“MZ”; within:2; byte_jump:4,58,relative,little; content:“PE|00 00|”; distance:-64; within:4; flowbits:set,ET.http.binary; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, confidence High, signature_severity Informational, updated_at 2023_04_12;)
One, I am not sure if you have to “\” double slash like this, but it is the only way I can get suricata-update to work - and in this I’m assuming you are using suricata-update.
Two, you must match with the slash(s) for the ‘$’, and replace what you want, also using Regex such as:
(in modify.conf) 2006380 "\\$HOME_NET .* any any" "$HOME_NET any -> [$EXTERNAL_NET, !$EXTERNAL_IP] any" # Outgoing Basic Password Auth - Make External and Ignore our Public IP
Makes this rule: alert http $HOME_NET any -> any any (msg:"ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; http.header; header_lowercase; content:"authorization|3a 20|Basic"; fast_pattern; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"proxy-authorization|3a 20|Basic"; nocase; content:!"KG51bGwpOihudWxsKQ=="; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; sid:2006380; rev:18; metadata:created_at 2010_07_30, performance_impact Significant, confidence Medium, signature_severity Informational, updated_at 2024_08_07;)
Into this rule: alert http $HOME_NET any -> [$EXTERNAL_NET, !$EXTERNAL_IP] any (msg:"ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; http.header; header_lowercase; content:"authorization|3a 20|Basic"; fast_pattern; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"proxy-authorization|3a 20|Basic"; nocase; content:!"KG51bGwpOihudWxsKQ=="; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; sid:2006380; rev:18; metadata:created_at 2010_07_30, performance_impact Significant, confidence Medium, signature_severity Informational, updated_at 2024_08_07;)
Based on what I can make sense of, you would want a rule more like this one?
2018959 “\\$EXTERNAL_NET any -> \\$HOME_NET any” “[$EXTERNAL_NET,!$EXTERNAL_IP] any -> [$HOME_NET,!10.0.0.3] any”
The unsaid detail here so far is that you have to set/automate the finding and setting of this External IP into the new EXTERNAL_IP variable that you will setup in your suricata.yaml or custom.yaml file
The automation of this can be via a script that would allow you to find your Public (External) IP and then modify the line for EXTERNAL_IP to be that value via a CLI tool like ‘sed’
Currently, I have manually modified my $HOME_NET to include my IPv6 Subnets, but I have not automated this modification yet mainly because of the complexity in pulling it off (and thankfully my IPv6 subnets have not shifted too quickly) but I should be able to use my router’s API to get that detail, update the source file and copy-over if it has changed and either soft re-load or service restart Suricata