Suricata reference not showing in rules

adrien_moreau · February 3, 2023, 4:34pm

Hello,

I am running suricata with the following configuration file
suricata.soc.yml (8.6 KB)

with only one rule defined in /etc/suricata/rules/suricata.rules which is the following:

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; reference:url,doc.emergingthreats.net/bin/view/Main/2100498; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

This alert gets correctly triggered when ingesting corresponding traffic through suricata listened iface.

However this alert does not come with the reference in the eve.log.

I would expect someting like:

reference:http://emergingthreats.net/bin/view/Main/2100498

The /etc/suricata/reference.config file contains the following lines:

# config reference: system URL

config reference: bugtraq   http://www.securityfocus.com/bid/
config reference: bid       http://www.securityfocus.com/bid/
config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
#config reference: cve       http://cvedetails.com/cve/
config reference: secunia   http://www.secunia.com/advisories/

#whitehats is unfortunately gone
config reference: arachNIDS http://www.whitehats.com/info/IDS

config reference: McAfee    http://vil.nai.com/vil/content/v_
config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url       http://
config reference: et        http://doc.emergingthreats.net/
config reference: etpro     http://doc.emergingthreatspro.com/
config reference: telus     http://
config reference: osvdb     http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5       http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia   http://secunia.com/advisories/
config reference: xforce    http://xforce.iss.net/xforce/xfdb/
config reference: msft      http://technet.microsoft.com/security/bulletin/

It seems references are never outputed by suricata (not only this one)

Thanks

ish · February 3, 2023, 8:10pm

We don’t appear to have the option to log this now. You can enable logging of the whole rule so the rule ends up in the alert which is the closest we have for now, see: 10.1. Suricata.yaml — Suricata 6.0.10 documentation

But this might make for a reasonable feature request.

adrien_moreau · February 4, 2023, 12:15pm

Thanks for your reply.

I think I don’t quite get the role of reference.config file.
What is the effect on setting:

reference-config-file: /etc/suricata/reference.config

in suricata.yml

dwharton · February 15, 2023, 1:10pm

I too was surprised that the reference keyword did not produce anything in the log.

The “reference” keyword seems like a Snort holdover and a clunky and onerous one at that, even if it was logged.

My suggestion is not to add support for the “reference” keyword in the logs but to remove support for it altogether in the rules language. For backward compatibility, I realize this is unrealistic but you could at least, in the manual, discourage the use of the reference keyword. If folks want to embed references in rules, the appropriate way to do that is in the metadata keyword. My suggestion (in the metadata) is to use the key name “reference”; the value should be the full reference value (i.e. not the current reference format). That way the reference can fully live with the rule and you don’t have to rely on an additional config file (reference.config), not to mention having to piece together the config file and “reference” keyword value in order to get the intel.