How to modify signature to NOT fire if there is additional unique content

Misuri · October 18, 2021, 3:32pm

Hi everybody,

I am new here and also new to Suricata and I need help. I have rule which fires when it sees:
content:“text1” followed by content:“text2” with distance:0
I need to modify the rule in modify.conf in such a way, that if above is true and there is third content:“text3”, then do not fire alert.

Can it be done? How? Thanks in advance for suggestions.

Misuri

Misuri · October 18, 2021, 3:43pm

I forgot to mention that content:“text3” will always be between original two contens from rule.

Misuri

Topic		Replies	Views
Editing Suricata rule to exclude specific string Help rules	3	749	October 25, 2023
Order of content modifiers Rules	3	196	April 5, 2024
Duplicate signature and error parsing signature errors Help rules	3	150	July 29, 2024
Rules modified with modify.conf still appear in alerts Help	2	503	January 11, 2022
I want to block specific word for any website, please tell me anyone how is it possible, i'm new in information security Help ips , community , rules , suricata	1	251	October 23, 2023

How to modify signature to NOT fire if there is additional unique content

Related topics