Hey Team,
I am attempting to drop and then modify some rules with Suricata-Update version 1.1.2 on Suricata 5.0.3 but am having difficulty getting the best of both worlds.
I am looking to convert all etn_aggressive.rules (https://security.etnetera.cz/feeds/etn_aggressive.rules) to a drop, and then exclude a particular IP address (194.39.218.10) from the list. Unfortunately the rule signature that the IP address is grouped in is always changing so I cannot just modify a set SID.
My thought was to add to Drop.conf :
group:etn_aggressive.rules
and then add to Modify.conf:
re:security.etnetera.cz “(194.39.218.10)(.*)” “!194.39.218.10\2”
The modify works (replacing 194.39.218.10 to !194.39.218.10) but all the rules within the etn_aggressive group stay at “alert” instead of converting to “drop”.
I tried a few other variations but have not had luck in converting them all to “drop” and modifying the IP address at the same time. I either get:
-
All rules within that group convert to drop but the IP address is not modified
-
The rule that contains the IP address is modified and converted to drop but all other rules within that group stay at alert
-
No changes are done. Rules stay at “alert” and IP address is unmodified
I have tried a few variations:
Modify.Conf without adding group to the Drop.conf:
re:security.etnetera.cz “(alert)(.)(194.39.218.10)(.)” “drop\2!194.39.218.10\4”
re:security.etnetera.cz “(alert)(.*)” “drop\2”
Drop.conf:
group:etn_aggressive.rules
Modify.conf:
re:security.etnetera.cz “(drop)(.)(194.39.218.10)(.)” “drop\2!194.39.218.10\4”
But I still cannot get that mix of both, convert to drop and modify.
I reload the rules with:
suricata-update -f -v --disable-conf=/etc/suricata/disable.conf --enable-conf=/etc/suricata/enable.conf --drop-conf=/etc/suricata/drop.conf --modify-conf=/etc/suricata/modify.conf --local /etc/suricata/local.rules --reload-command=‘kill -USR2 $(cat /var/run/suricata.pid)’
My thought is to convert the rules to drop and then use the regex finder to search for the string “security.etnetera.cz” (since this is only applies to rules in that group) and then replace 194.39.218.10 with !194.39.218.10. Perhaps there is a better way and I am going about this wrong, or maybe my regex search and replace is wrong?
Any insight would be greatly appreciated!
Thanks,
Taylor