Multiple modify.conf files (but named differently) + increase in severity

Good morning and happy Thursday,

The story here as follows, to get an idea what I am trying to accomplish.

CISA has a list of most exploited vulnerabilities which is very useful. We have gone through the exercise of determining which rules in Suricata need to be adjusted to ensure we are properly alerted.

Now, and I am little ashamed of this, the list of adjustments is rather large (nothing external facing thankfully).

In order to keep track of this correctly I was thinking to create a 2nd “modify.conf” in which I can easily track and find the adjustments. (1)

Also I want to raise the alert level in case there is a successful attempt (2).

So any input is highly appreciated.

CISA link for those interested: Known Exploited Vulnerabilities Catalog | CISA

  1. Suricata-Update can only make use of a single modify.conf file and I don’t see a common of enough use case to add support for multiple ones. You could probably do some pre-processing are you on to achieve this though.

  2. Suricata-Update does not have built-in support for modifying the severity of a rule, but I think this is in scope. We recently added the ability to add metadata to a rule (suricata-update - Update — suricata-update 1.3.0dev0 documentation) which is one option you could use to add a custom severity via metadata, if that works for you. Otherwise I’d recomment creating a feature request over at Issues - Suricata - Open Information Security Foundation as I do think this is in-scope for Suricata-Update.

thanks @ish for the feedback!

The free version of IDSTower (demo link) can attain the same results you are trying to achieve:-

  1. you can group the rules that are in CISA list by either adding them to a category or adding a tag to them (both are exported as metadata in the generated alerts and can be filtered on).
  2. you can override the the priority/severity level of the rules in this category without having to alter the source code (IDSTower will do it for you), which again is exported in the generated alerts and can be used to prioritize the triage process.