Is there a Way to Configure Dynamic Message Output Reporting OF RegEx-based Matches?

Is it possible to configure Suricata to output message results to report the values of both fixed and Regex matched content? For example, imagine content to be in this format:

PCAP1: Toshiba Device 927569
PCAP2: Toshiba Device 88945
PCAP3: Toshiba Device B89.A4

We are using a secondary reporting tool that can leverage Suricata’s messages. Therefore it would be ideal to have a reference or report of the individual device type found in each of the PCAPs. Ideally, alert messages would read “Toshiba Device 927569”, “Toshiba Device 88945”, etc.

The secondary tool can use these messages to initiate an alert for the rest of our system to actuate a workflow based on device types that are seen on the wire.

The issue is, we don’t know what device types we may see in advance, and even the manufacturer information may change. So we cannot write rigid hard-coded content rules in advance. However, we can write rules to match hard-coded content of fixed preamble and post-amble information. Only the inner content will change.

I believe something similar was requested in these two tickets?

If this cannot currently be done, is it on the roadmap?

Thank you.

This looks like pcre substring capture…

Like pcre: /Toshiba Device ([A-Z0-9\.]+)/,flow:toshiba_device;

And then you get in your logs with
jq 'select(.event_type==\"alert\") | .metadata.flowvars[] | . toshiba_device'

1 Like

Or you can put pcre: /(Toshiba Device [A-Z0-9\.]+)/,flow:toshiba_device; if you want the fixed string in the log as well

1 Like

Okay, thank you. This may an ingenious workaround. We can most likely make this work.