Rules modified with modify.conf still appear in alerts

Hi!

So through modify.conf I adjusted a bunch of log4j related rules on Suricata 6.0.3:

2034647 "any any -> [$HOME_NET,$HTTP_SERVERS] any" "any any -> [$LOG4J] any"

To ensure that only log4j affected machines appear on the alerts, the number of false positives is massive, I created the variable $LOG4J in suricata.yaml:

LOG4J: "[10.0.0.1, 10.0.0.2]"

Then I ran suricata-update and restarted Suricata.
No errors when restarting Suricata or with suricata-update (the number of modified rules increased accordingly).

However the alerts are still popping up with IP 10.0.0.3. This IP is not vulnerable for Log4J but is part of the $HOME_NET variable (HTTP_SERVERS = $HOME_NET in my settings).

Any ideas are more than welcome!

Its an escaping issue as the first match is a regular expression. Please try:

2034647 "any any -> \\[\\$HOME_NET,\\$HTTP_SERVERS\\] any" "any any -> [$LOG4J] any"
2 Likes

Thanks @ish! And me thinking all the time that only the first part needs to be escaped. Time for some regex lessons!