Odd problem with EXTERNAL_NET

DrChris · August 1, 2023, 10:38pm

This is a bit of a head scratcher with 6.0.x. Below are the 2 variables defined for address-groups:

HOME_NET: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,224.0.0.0/4,169.254.0.0/16]"
EXTERNAL_NET: "[!$HOME_NET, 10.10.10.10/32]"

I have created a silly rule as:
alert tcp any any -> $EXTERNAL_NET any (msg:"My silly signature"; classtype:misc-activity; sid:3450000; rev:1;)
The goal is just to make sure things trigger the right way.

While the very same set of address-groups works fine in 4.x, I cannot figure out why EXTERNAL_NET definition does not trigger, but if I restrict it to:
EXTERNAL_NET: "!$HOME_NET"
then everything works as expected.

( I have tried different orders, different bracketting, … nothing helped).

Does this look like “user error”? did I skip a chapter in the book? any other idea?

TIA

Chris.

DrChris · August 1, 2023, 11:36pm

Adding extra details, the above definition for EXTERNAL_NET using 10.10.10.10/32 leads to “insufficient memory” when processing rules (per suricata.log)
Using instead:

EXTERNAL_NET: "[!$HOME_NET, 8.8.8.8/32]"

matches the described behavior (i.e., no detection).

Andreas_Herz · August 31, 2023, 5:52am

What version are you using?

DrChris · August 31, 2023, 5:05pm

(Silly me forgettting about the basics )

Trying to move from 4.x to 6.0.12…

sscally · September 5, 2023, 2:29pm

Hi Chris,

Have you tried removing the space between the comma and the 10.10.10.10/32 entry?