Suricata reference not showing in rules


I am running suricata with the following configuration file
suricata.soc.yml (8.6 KB)

with only one rule defined in /etc/suricata/rules/suricata.rules which is the following:

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; reference:url,; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

This alert gets correctly triggered when ingesting corresponding traffic through suricata listened iface.

However this alert does not come with the reference in the eve.log.

I would expect someting like:


The /etc/suricata/reference.config file contains the following lines:

# config reference: system URL

config reference: bugtraq
config reference: bid
config reference: cve
#config reference: cve
config reference: secunia

#whitehats is unfortunately gone
config reference: arachNIDS

config reference: McAfee
config reference: nessus
config reference: url       http://
config reference: et
config reference: etpro
config reference: telus     http://
config reference: osvdb
config reference: threatexpert
config reference: md5
config reference: exploitdb
config reference: openpacket
config reference: securitytracker
config reference: secunia
config reference: xforce
config reference: msft

It seems references are never outputed by suricata (not only this one)


We don’t appear to have the option to log this now. You can enable logging of the whole rule so the rule ends up in the alert which is the closest we have for now, see: 10.1. Suricata.yaml — Suricata 6.0.10 documentation

But this might make for a reasonable feature request.

Thanks for your reply.

I think I don’t quite get the role of reference.config file.
What is the effect on setting:

reference-config-file: /etc/suricata/reference.config

in suricata.yml

I too was surprised that the reference keyword did not produce anything in the log.

The “reference” keyword seems like a Snort holdover and a clunky and onerous one at that, even if it was logged.

My suggestion is not to add support for the “reference” keyword in the logs but to remove support for it altogether in the rules language. For backward compatibility, I realize this is unrealistic but you could at least, in the manual, discourage the use of the reference keyword. If folks want to embed references in rules, the appropriate way to do that is in the metadata keyword. My suggestion (in the metadata) is to use the key name “reference”; the value should be the full reference value (i.e. not the current reference format). That way the reference can fully live with the rule and you don’t have to rely on an additional config file (reference.config), not to mention having to piece together the config file and “reference” keyword value in order to get the intel.