Modify.conf possibly not working, probably a newbie error?

Hello,
I’m trying to modify rule #2018216 slightly, to exclude a particular IP address…so I do still want to get alerts for that rule, but just not when that particular IP address is the ‘destination’.
So I created: /etc/suricata/modify.conf

And added the following line:
2018216 "$EXTERNAL_NET" "[$EXTERNAL_NET, ! 98.51.138.237]"
(Thank you for pointing me in the right direction @IDSTower!)

Saved it, then ran:
sudo suricata-update

To which it did mention that 1 rule was modified. Then ran:
sudo systemctl restart suricata

But then I ran:
sudo grep "2018216" /var/lib/suricata/rules/suricata.rules

And it output:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; http.host; content:".hopto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)

I thought that I would see my change there, but maybe that’s not how Suricata works?
Either way, I still am still getting “2018216” alerts for 98.51.138.237.

Since I’m still a newbie, I figure I’m missing something, or doing something wrong.

And kind of a secondary but related question is: can I use a URL instead of an IP? That’s ultimately what I want - I want to ignore my URL such as myurl.hopto.org instead of an IP address.

You are on the right track, there is just some escaping required due to suricata-update using python regular expressions to do the modifies.

try:
2018216 "\\$EXTERNAL_NET" "[$EXTERNAL_NET,!98.51.138.237]"

It is not currently possible to use host/domain names in the network source or destination fields.

1 Like

Hi @jmtaylor90 ,

That worked - that was it, thank you!
(I don’t think that the whole escaping thing is in the documentation. At least not here: suricata-update - Update — suricata-update 1.3.0dev0 documentation . I wish it was, not just for me but for everyone else). Are there any good references about the additional escaping I may need to watch out for/try ? I know I’m going to be modifying more rules.

And although I don’t like the answer to my 2nd question, I do appreciate you answering it too. I sure hope they allow host/domain names in the future! Because now I’ll have to change the IP address every time the IP address changes.

Thanks again @jmtaylor90 !

I made a note about the documentation and will see if we can get some updates in there. Thanks for mentioning that!

JT

2 Likes

Hi there, I see that JT has already answered, but I thought I’d try to add 2 cents (which may or may not work - disclaimer! :stuck_out_tongue: )

Can’t you have a pass rule or use the bypass keyword matching on something that indicates that the URL is that one?

I think this blog post by StamusNetworks talks about something that might be related: Suricata bypass feature

Hi @jufajardini ,

Thanks for the idea. I’m super new to Suricata so I will have to learn about ‘pass rules’ and ‘bypass keyword matching’. But if it’s a possibility I will definitely look into it.

Thank you again!

No problems, I hope it helps. :slight_smile:

Maybe these could offer some clarity:

Oh, I just saw this answer that is about pass rules, too: In Suricata IDS mode. is it possible to block/drop/pass good traffic so it will not be seen in kibana? - #15 by sscally

Good luck with your learning journey!

Thank you for the extra links @jufajardini ! I’ll take a look at all of that too - I’ll need all the references/info I can get!

1 Like