Rule has unknown dest port var and will be disabled

sgroenev · May 25, 2022, 1:52pm

Hi all,

Rule question here: I am making the following adjustment (Suricata 6.0.3):

2036303 "\\$HOME_NET any -> \\$EXTERNAL_NET 80" "[$HOME_NET,![10.2.142.32]] any -> $EXTERNAL_NET 80"

I get the following warning message:

25/5/2022 -- 09:38:21 - <Warning> -- Rule has unknown dest port var and will be disabled: EXTERNAL_NET: [1:2036303] ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check

Thanks for the insight!

jmtaylor90 · May 26, 2022, 3:06pm

Hi, I think you would be good if did [$HOME_NET, !10.2.142.32] any → $EXTERNAL_NET 80?

sgroenev · June 1, 2022, 9:35am

Thanks @jmtaylor90, that works, but now I got another popping up:

2025703 "any any -> \\$HOME_NET 445" "[any,![10.2.94.167,10.20.94.167]] any -> $HOME_NET 445"

Drives met nutz!

jmtaylor90 · June 2, 2022, 9:12pm

Did you get this one figured out? If not, can you provide the error suricata is returning? Thanks!

JT

sgroenev · July 13, 2022, 12:22pm

Hi @jmtaylor90, No I haven’t. What I did was deleting the line and re-do the adjustment.
This seems to have helped. May a misplaced [space]. Who knowns.