Modify.conf question

sgroenev · November 25, 2021, 3:05pm

Hi all (and happy thanksgiving to our US friends),

Currently I am working through rule 2006380. I will need to exclude some ranges and singular dest IPs.
As a result I make my modify.conf line as follows:

2006380 "$HOME_NET any -> any any" "$HOME_NET any -> ![$NAME1, 10.50.145.157, 10.5.162.64, 10.50.140.0/24] any"

For some reason, after killing suricata, running suricata-update, and restarting suricata I still see alerts with dest ip 10.5.162.64.

No idea why. I could create a whole new rule of course, however that surpasses the idea of having a modify.conf (I believe).

Anyone’s input is highly appreciated (as always),

S.

ish · November 25, 2021, 5:27pm

You will need to escape the $ in the first match as it has special meaning in regular expressions. Try:

2006380 "\\$HOME_NET any -> any any" "$HOME_NET any -> ![$NAME1, 10.50.145.157, 10.5.162.64, 10.50.140.0/24] any"

sgroenev · November 25, 2021, 7:03pm

Thanks so much @ish to show me the light on this Thanksgiving!

Topic		Replies	Views
Modify.conf possibly not working, probably a newbie error?	7	690	January 26, 2023
Suricata-update - modify.conf and $EXTERNAL_NET Help	2	584	February 19, 2021
How to specify a range of rule IDs Help	4	389	June 6, 2022
$HOME_NET in suricata rule ignored? Rules rules , suricata	2	225	December 18, 2023
Suricata ignore Rule by IP	3	2467	July 26, 2021

Modify.conf question

Related Topics