Help Using Modify.Conf

Help
,
1

Suricata 7.0.1
Ubuntu 20.0.x
Installed via package

I have made a rule edit and saved it in /etc/suricata/modify.conf
Ran sudo suricata-update and the change wasnt included in the list of rules and the rule continues to fire.
I keep hearing of people using pulled pork for rule edits? Is this required for suricata to detect the modification to the rule?

2

Hi! Welcome to our forum! :slight_smile:
Could you please share your modify.conf, the rule to be modified and what you expected?

No. suricata-update is Suricata’s tool for rule management and should suffice.

3

Original rule:

alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Address Lookup Domain (get .geojs .io) in DNS Lookup"; dns.query; content:"get.geojs.io"; nocase; bsize:12; classtype:external-ip-check; sid:2039594; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_10_28, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_10_28;)

My edit in the modify.conf file this is the only line in the file:

2039594 "content:"get.geojs.io"; nocase; bsize:12;" "content:"get.geojs.io"; nocase; bsize:12; content:!"gloriousgaming.com""

Am I doing something wrong?

Output of “suricata-update”

9/10/2023 -- 19:51:38 - <Info> -- Using data-directory /var/lib/suricata.
9/10/2023 -- 19:51:38 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
9/10/2023 -- 19:51:38 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
9/10/2023 -- 19:51:38 - <Info> -- Found Suricata version 7.0.1 at /usr/bin/suricata.
9/10/2023 -- 19:51:38 - <Info> -- Loading /etc/suricata/disable.conf.
9/10/2023 -- 19:51:38 - <Info> -- Loading /etc/suricata/modify.conf.
9/10/2023 -- 19:51:38 - <Info> -- Loading /etc/suricata/suricata.yaml
9/10/2023 -- 19:51:38 - <Info> -- Disabling rules for protocol pgsql
9/10/2023 -- 19:51:38 - <Info> -- Disabling rules for protocol modbus
9/10/2023 -- 19:51:38 - <Info> -- Disabling rules for protocol dnp3
9/10/2023 -- 19:51:38 - <Info> -- Disabling rules for protocol enip
9/10/2023 -- 19:51:38 - <Info> -- No sources configured, will use Emerging Threats Open
9/10/2023 -- 19:51:38 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-7.0.1/emerging.rules.tar.gz.md5.
9/10/2023 -- 19:51:38 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.1/emerging.rules.tar.gz.
 100% - 4082031/4082031               
9/10/2023 -- 19:51:39 - <Info> -- Done.
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
9/10/2023 -- 19:51:39 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
9/10/2023 -- 19:51:40 - <Info> -- Ignoring file rules/emerging-deleted.rules
9/10/2023 -- 19:51:41 - <Info> -- Loaded 45191 rules.
9/10/2023 -- 19:51:41 - <Info> -- Disabled 15 rules.
9/10/2023 -- 19:51:41 - <Info> -- Enabled 0 rules.
9/10/2023 -- 19:51:41 - <Info> -- Modified 1 rules.
9/10/2023 -- 19:51:41 - <Info> -- Dropped 0 rules.
9/10/2023 -- 19:51:41 - <Info> -- Enabled 131 rules for flowbit dependencies.
9/10/2023 -- 19:51:41 - <Info> -- Backing up current rules.
9/10/2023 -- 19:51:43 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 45191; enabled: 35178; added: 18; removed 0; modified: 1251
9/10/2023 -- 19:51:44 - <Info> -- Writing /var/lib/suricata/rules/classification.config
9/10/2023 -- 19:51:44 - <Info> -- Testing with suricata -T.
9/10/2023 -- 19:52:01 - <Info> -- Done.
4

You’ll need to escape the nested quotes:

2039594 "content:\"get.geojs.io\"; nocase; bsize:12;" "content:\"get.geojs.io\"; nocase; bsize:12; content:!\"gloriousgaming.com\";"

note the additional ; added to the end as well.

5

Does it generate an error somewhere if my formatting is off?

6

Only if its an invalid regular expression. But its easy to create regular expressions that are valid, but would never match on Suricata rules.