When you have multiple “content:…” identifiers in a rule, does the order matter? I thought they were just ANDed together, but it seems like it might be something else happening.
For example, in the following rule which has been modified to also exclude “foo.cc” we seemed to get different results between:
- content:!“foo.cc”; content:“.cc”; endswith;
- content:“.cc”; content:!“foo.cc”; endswith;
The first option seems to work as expected, while the second option continued to fire the alert for “foo.cc”.
I used /etc/modify.conf to modify an existing rule. What seemed to finally work is included below:
/etc/suricata/modify.conf
2027758 "content:\".cc\";" "content:!\"foo.cc\"; content:\".cc\";"
Original Rule
grep 2027758 /var/lib/suricata/rules/suricata.rules
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query;
content:".cc"; endswith; fast_pattern; classtype:bad-unknown; sid:202775; rev:5;
metadata:affected_product Any, attack_target Client_Endpoint,
created_at 2019_07_26, deployment Perimeter, former_category DNS,
signature_severity Minor, updated_at 2020_09_17;)
Modified rule that worked:
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query;
content:!"foo.cc"; content:".cc"; endswith; fast_pattern; classtype:bad-unknown;
sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint,
created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor,
updated_at 2020_09_17;)
Any insight into how this should work is appreciated. Or if there is a better way to handle this type of multiple content within a rule?
Thanks in advance!