How to specify a range of rule IDs

jimoe · June 3, 2022, 5:14pm

Suricata v6.0.5 (I did searched the doc)

I use drop.conf to block IPs. Recently I added what I thought was a valid entry for a range of rule IDs. Not so?

#  ET TOR Known Tor Exit Node Traffic group 27 - 133
2520026-2520133

None of these IDs are dropped.

What is the correct syntax?

Andreas_Herz · June 5, 2022, 7:46pm

You use the drop.conf for suricata-update to generate the desired ruleset, correct?
Can you show the end result of the suricata-update run, so we can make sure those ET TOR rules are correctly converted to drop rules?

jimoe · June 5, 2022, 8:57pm

Ah. Silly me.

5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2520026-2520133"
5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2034660-2034699"
5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2034782-2034799"
5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2034800-2034839"

So what IS the correct syntax?

ish · June 6, 2022, 2:47pm

Looks like we don’t support range. Perhaps a regex might be better in this case?

jimoe · June 6, 2022, 5:45pm

A regex is better only because it is the only option. It needs multiple lines to do the same job as a range would.

Thank you.

Topic		Replies	Views
Strange behavior with pass and drop rule Help	14	1140	July 9, 2021
Modify.conf question Rules	2	448	November 25, 2021
Missing 1 piece of the puzzle Help ips	2	1475	February 5, 2021
Unknown rule keyword 'flow.pkts_toclient' Help rules	2	133	February 6, 2024
Fast.log entry/entries Help ips	3	775	February 17, 2021

How to specify a range of rule IDs

Related Topics