Issue with modifying rule more than once suricata-update

Hey team,

I am trying to modify the same rule more than once using modify.conf in suricata-update but the rule remains unchanged.

Say for example I have a rule:

alert tls any any → any any (msg:“SURICATA TLS invalid SSLv2 header”; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)

Now I add the following lines to my modify.conf file and run suricata-update --modify-conf=suricata-update/suricata/update/configs/modify.conf --force --no-merge:

2230000 “alert” “reject”
2230000 “reject” “pass”

The expected new rule should be:

pass tls any any → any any (msg:“SURICATA TLS invalid SSLv2 header”; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)

However, the rule remains unchanged, i.e.

alert tls any any → any any (msg:“SURICATA TLS invalid SSLv2 header”; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)

Is there anything that I’m missing or doing wrong? Any help on this is greatly appreciated.

Thanks,
Vagisha

Have you tried without –no-merge? I’ve tried and it works out.

Hey Vagisha,

I am having a similar issue that I reported here: Suricata-Update Drop and Modify

I still have not had luck getting this to work. Did you find anything out on your end?

Thanks,
Taylor

yes, this is the command I have been using

suricata-update --modify-conf=suricata-update/suricata/update/configs/modify.conf --force --no-merge

Yes, facing a similar issue. But if try using --local for the rule file that I’m modifying multiple times, it resolves my issue.

However this shouldn’t be a workaround here. We should be able to modify rules with --url option or the source set in update.yaml whenever there is a fresh download.