Order of content modifiers

When you have multiple “content:…” identifiers in a rule, does the order matter? I thought they were just ANDed together, but it seems like it might be something else happening.

For example, in the following rule which has been modified to also exclude “foo.cc” we seemed to get different results between:

  1. content:!“foo.cc”; content:“.cc”; endswith;
  2. content:“.cc”; content:!“foo.cc”; endswith;

The first option seems to work as expected, while the second option continued to fire the alert for “foo.cc”.

I used /etc/modify.conf to modify an existing rule. What seemed to finally work is included below:

/etc/suricata/modify.conf

2027758 "content:\".cc\";" "content:!\"foo.cc\"; content:\".cc\";"

Original Rule

grep 2027758 /var/lib/suricata/rules/suricata.rules
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; 
content:".cc"; endswith; fast_pattern; classtype:bad-unknown; sid:202775; rev:5; 
metadata:affected_product Any, attack_target Client_Endpoint, 
created_at 2019_07_26, deployment Perimeter, former_category DNS, 
signature_severity Minor, updated_at 2020_09_17;)

Modified rule that worked:

alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; 
content:!"foo.cc"; content:".cc"; endswith; fast_pattern; classtype:bad-unknown; 
sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, 
created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, 
updated_at 2020_09_17;)

Any insight into how this should work is appreciated. Or if there is a better way to handle this type of multiple content within a rule?

Thanks in advance!

Hey there!

I think this issue will be of interest to you

Can you try something like this?

alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; 
content:!"foo.cc"; endswith; content:".cc"; endswith; fast_pattern; classtype:bad-unknown; 
sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, 
created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, 
updated_at 2020_09_17;)

I just tested on 7.0.4 with the attached pcap (two dns queries one for abcd.foo.cc and one for abcd.cc and my suggested tweak seemed to work (only alerting on abcd.cc)

I also reformatted to
content:".cc"; endswith; fast_pattern; content:!"foo.cc"; endswith;
and it worked as desired.

Looks like this got “fixed” in 7.0.0 and backported into 6.0.12. What version are you running?

dns.pcap (534 Bytes)

Thanks for the info! I’m running Suricata 7.0.2