Rules modified with modify.conf still appear in alerts

sgroenev · January 10, 2022, 12:18pm

Hi!

So through modify.conf I adjusted a bunch of log4j related rules on Suricata 6.0.3:

2034647 "any any -> [$HOME_NET,$HTTP_SERVERS] any" "any any -> [$LOG4J] any"

To ensure that only log4j affected machines appear on the alerts, the number of false positives is massive, I created the variable $LOG4J in suricata.yaml:

LOG4J: "[10.0.0.1, 10.0.0.2]"

Then I ran suricata-update and restarted Suricata.
No errors when restarting Suricata or with suricata-update (the number of modified rules increased accordingly).

However the alerts are still popping up with IP 10.0.0.3. This IP is not vulnerable for Log4J but is part of the $HOME_NET variable (HTTP_SERVERS = $HOME_NET in my settings).

Any ideas are more than welcome!

ish · January 10, 2022, 6:28pm

Its an escaping issue as the first match is a regular expression. Please try:

2034647 "any any -> \\[\\$HOME_NET,\\$HTTP_SERVERS\\] any" "any any -> [$LOG4J] any"

sgroenev · January 11, 2022, 11:14am

Thanks @ish! And me thinking all the time that only the first part needs to be escaped. Time for some regex lessons!

Topic		Replies	Views
Modify.conf possibly not working, probably a newbie error?	7	798	January 26, 2023
Suricata-update modify.conf Rules	4	1750	September 11, 2020
All of a sudden new entries in disable.conf being ignored Help	8	1758	October 28, 2022
Modify.conf question Rules	2	484	November 25, 2021
Help Using Modify.Conf Help rules , suricata	5	342	October 10, 2023

Rules modified with modify.conf still appear in alerts

Related Topics