$HOME_NET in suricata rule ignored?

atbohmer · November 8, 2023, 12:53pm

Closed.

Hello,

Created some custom rules I borrowed from ET, but is seems like the destination variable $HOME_NET is ignored? Maybe a second pair of eyes can share some insight?

alert tcp $HOME_NET any → $HOME_NET any (msg:“SCAN NMAP -sA (1)”; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,Emerging Threats; classtype:attempted-recon; sid:100000022; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

It also hits on destination ip’s way out of the HOME_NET scope defined in suricata.yaml (suricata 7).

Thanks!
Andre

Andreas_Herz · December 12, 2023, 9:06pm

Does it work if you change it to any instead of HOME_NET?
And if so, did you double check the IPs are in the HOME_NET variable?

atbohmer · December 18, 2023, 12:47pm

tnx for your reply Andreas, but it was a combination of different event types (alert, protocols) which led to my confusion.

Topic		Replies	Views
Excluding VARS from HOME_NET & EXTERNAL_NET Rules	1	1110	February 27, 2021
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	649	February 19, 2021
Suricata rules about network scan Rules rules	2	804	January 18, 2023
Help with variables in YAML file Rules	3	740	February 15, 2023
Custom rule not triggering (newbie warning!) [SOLVED] Rules	3	840	October 20, 2022

$HOME_NET in suricata rule ignored?

Related Topics