How to specify a range of rule IDs

jimoe · June 3, 2022, 5:14pm

Suricata v6.0.5 (I did searched the doc)

I use drop.conf to block IPs. Recently I added what I thought was a valid entry for a range of rule IDs. Not so?

#  ET TOR Known Tor Exit Node Traffic group 27 - 133
2520026-2520133

None of these IDs are dropped.

What is the correct syntax?

Andreas_Herz · June 5, 2022, 7:46pm

You use the drop.conf for suricata-update to generate the desired ruleset, correct?
Can you show the end result of the suricata-update run, so we can make sure those ET TOR rules are correctly converted to drop rules?

jimoe · June 5, 2022, 8:57pm

Ah. Silly me.

5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2520026-2520133"
5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2034660-2034699"
5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2034782-2034799"
5/6/2022 -- 08:02:02 - <Warning> -- Failed to parse: "2034800-2034839"

So what IS the correct syntax?

ish · June 6, 2022, 2:47pm

Looks like we don’t support range. Perhaps a regex might be better in this case?

jimoe · June 6, 2022, 5:45pm

A regex is better only because it is the only option. It needs multiple lines to do the same job as a range would.

Thank you.

Topic		Replies	Views
Are these settings deprecated? Help	5	266	November 24, 2023
Suricata-Update Drop and Modify Rules	2	1871	January 11, 2021
Strange behavior with pass and drop rule Help	14	1327	July 9, 2021
Modify.conf question Rules	2	484	November 25, 2021
Errors in suricata rules Rules rules , suricata	6	1048	April 3, 2023

How to specify a range of rule IDs

Related Topics