Modify.conf preserve existing rules

lquin1978 · February 13, 2021, 2:51am

We are using “suricata-update” to keep the rules up to date. We are using the disable option to ensure that previously disabled rules are not enabled. However we have had to modify a number of existing rules and the update overwrites our changes… I believe the solution is to use the modify.conf option but I have been unsuccessful in getting this to work.

Can anyone provide an example of using the modify.conf file to exclude an IP address from a rule… so for example changing:

alert ip any any → any any
to
alert ip any any → [any,!192.168.1.2] any

Thanks, and we are running version 6.0.0

ish · February 16, 2021, 9:50pm

You could try a modify.conf line like:

re:ET\ MALWARE "-> any any" "-> [any,!1.1.1.1] any"

This will update the destination address field for all rules that have “ET MALWARE” in them.

Topic		Replies	Views
Suricata-update modify.conf Rules	4	1660	September 11, 2020
Help Using Modify.Conf Help rules , suricata	5	229	October 10, 2023
Suricata-Update Drop and Modify Rules	2	1706	January 11, 2021
Suricata - disable.conf seems not working Rules	2	796	July 8, 2021
All of a sudden new entries in disable.conf being ignored Help	8	1436	October 28, 2022

Modify.conf preserve existing rules

Related Topics