Modify.conf question

sgroenev · November 25, 2021, 3:05pm

Hi all (and happy thanksgiving to our US friends),

Currently I am working through rule 2006380. I will need to exclude some ranges and singular dest IPs.
As a result I make my modify.conf line as follows:

2006380 "$HOME_NET any -> any any" "$HOME_NET any -> ![$NAME1, 10.50.145.157, 10.5.162.64, 10.50.140.0/24] any"

For some reason, after killing suricata, running suricata-update, and restarting suricata I still see alerts with dest ip 10.5.162.64.

No idea why. I could create a whole new rule of course, however that surpasses the idea of having a modify.conf (I believe).

Anyone’s input is highly appreciated (as always),

S.

ish · November 25, 2021, 5:27pm

You will need to escape the $ in the first match as it has special meaning in regular expressions. Try:

2006380 "\\$HOME_NET any -> any any" "$HOME_NET any -> ![$NAME1, 10.50.145.157, 10.5.162.64, 10.50.140.0/24] any"

sgroenev · November 25, 2021, 7:03pm

Thanks so much @ish to show me the light on this Thanksgiving!

Topic		Replies	Views
Modify.conf possibly not working, probably a newbie error?	7	798	January 26, 2023
Modify.conf preserve existing rules Help	1	343	February 16, 2021
Suricata-update modify.conf Rules	4	1750	September 11, 2020
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	655	February 19, 2021
Rule has unknown dest port var and will be disabled Rules	4	924	July 13, 2022

Modify.conf question

Related Topics