I’m trying to modify rule #2018216 slightly, to exclude a particular IP address…so I do still want to get alerts for that rule, but just not when that particular IP address is the ‘destination’.
So I created: /etc/suricata/modify.conf
And added the following line:
2018216 "$EXTERNAL_NET" "[$EXTERNAL_NET, ! 188.8.131.52]"
(Thank you for pointing me in the right direction @IDSTower!)
Saved it, then ran:
To which it did mention that 1 rule was modified. Then ran:
sudo systemctl restart suricata
But then I ran:
sudo grep "2018216" /var/lib/suricata/rules/suricata.rules
And it output:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; http.host; content:".hopto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
I thought that I would see my change there, but maybe that’s not how Suricata works?
Either way, I still am still getting “2018216” alerts for 184.108.40.206.
Since I’m still a newbie, I figure I’m missing something, or doing something wrong.
And kind of a secondary but related question is: can I use a URL instead of an IP? That’s ultimately what I want - I want to ignore my URL such as myurl.hopto.org instead of an IP address.
You are on the right track, there is just some escaping required due to suricata-update using python regular expressions to do the modifies.
2018216 "\\$EXTERNAL_NET" "[$EXTERNAL_NET,!220.127.116.11]"
It is not currently possible to use host/domain names in the network source or destination fields.
Hi @jmtaylor90 ,
That worked - that was it, thank you!
(I don’t think that the whole escaping thing is in the documentation. At least not here: suricata-update - Update — suricata-update 1.3.0dev0 documentation . I wish it was, not just for me but for everyone else). Are there any good references about the additional escaping I may need to watch out for/try ? I know I’m going to be modifying more rules.
And although I don’t like the answer to my 2nd question, I do appreciate you answering it too. I sure hope they allow host/domain names in the future! Because now I’ll have to change the IP address every time the IP address changes.
Thanks again @jmtaylor90 !
I made a note about the documentation and will see if we can get some updates in there. Thanks for mentioning that!
Hi there, I see that JT has already answered, but I thought I’d try to add 2 cents (which may or may not work - disclaimer! )
Can’t you have a pass rule or use the bypass keyword matching on something that indicates that the URL is that one?
I think this blog post by StamusNetworks talks about something that might be related: Suricata bypass feature
Hi @jufajardini ,
Thanks for the idea. I’m super new to Suricata so I will have to learn about ‘pass rules’ and ‘bypass keyword matching’. But if it’s a possibility I will definitely look into it.
Thank you again!
No problems, I hope it helps.
Maybe these could offer some clarity:
Oh, I just saw this answer that is about pass rules, too: In Suricata IDS mode. is it possible to block/drop/pass good traffic so it will not be seen in kibana? - #15 by sscally
Good luck with your learning journey!
Thank you for the extra links @jufajardini ! I’ll take a look at all of that too - I’ll need all the references/info I can get!