How to modify signature to NOT fire if there is additional unique content

Misuri · October 18, 2021, 3:32pm

Hi everybody,

I am new here and also new to Suricata and I need help. I have rule which fires when it sees:
content:“text1” followed by content:“text2” with distance:0
I need to modify the rule in modify.conf in such a way, that if above is true and there is third content:“text3”, then do not fire alert.

Can it be done? How? Thanks in advance for suggestions.

Misuri

Misuri · October 18, 2021, 3:43pm

I forgot to mention that content:“text3” will always be between original two contens from rule.

Misuri

Topic		Replies	Views
Rules modified with modify.conf still appear in alerts Help	2	456	January 11, 2022
Suricata-Update and custom signature sets Rules	7	1963	July 2, 2020
Issue with modifying rule more than once suricata-update Rules	4	907	January 11, 2021
Suricata-update & modify.conf Rules	4	764	February 23, 2021
All of a sudden new entries in disable.conf being ignored Help	8	1417	October 28, 2022

How to modify signature to NOT fire if there is additional unique content

Related Topics