Suricata-Update Drop and Modify

Rules
1

Hey Team,

I am attempting to drop and then modify some rules with Suricata-Update version 1.1.2 on Suricata 5.0.3 but am having difficulty getting the best of both worlds.

I am looking to convert all etn_aggressive.rules (https://security.etnetera.cz/feeds/etn_aggressive.rules) to a drop, and then exclude a particular IP address (194.39.218.10) from the list. Unfortunately the rule signature that the IP address is grouped in is always changing so I cannot just modify a set SID.

My thought was to add to Drop.conf :

group:etn_aggressive.rules

and then add to Modify.conf:

re:security.etnetera.cz “(194.39.218.10)(.*)” “!194.39.218.10\2”

The modify works (replacing 194.39.218.10 to !194.39.218.10) but all the rules within the etn_aggressive group stay at “alert” instead of converting to “drop”.

I tried a few other variations but have not had luck in converting them all to “drop” and modifying the IP address at the same time. I either get:

  • All rules within that group convert to drop but the IP address is not modified

  • The rule that contains the IP address is modified and converted to drop but all other rules within that group stay at alert

  • No changes are done. Rules stay at “alert” and IP address is unmodified

I have tried a few variations:

Modify.Conf without adding group to the Drop.conf:

re:security.etnetera.cz “(alert)(.)(194.39.218.10)(.)” “drop\2!194.39.218.10\4”
re:security.etnetera.cz “(alert)(.*)” “drop\2”

Drop.conf:

group:etn_aggressive.rules

Modify.conf:

re:security.etnetera.cz “(drop)(.)(194.39.218.10)(.)” “drop\2!194.39.218.10\4”

But I still cannot get that mix of both, convert to drop and modify.

I reload the rules with:

suricata-update -f -v --disable-conf=/etc/suricata/disable.conf --enable-conf=/etc/suricata/enable.conf --drop-conf=/etc/suricata/drop.conf --modify-conf=/etc/suricata/modify.conf --local /etc/suricata/local.rules --reload-command=‘kill -USR2 $(cat /var/run/suricata.pid)’

My thought is to convert the rules to drop and then use the regex finder to search for the string “security.etnetera.cz” (since this is only applies to rules in that group) and then replace 194.39.218.10 with !194.39.218.10. Perhaps there is a better way and I am going about this wrong, or maybe my regex search and replace is wrong?

Any insight would be greatly appreciated!

Thanks,
Taylor

2

I figured out a solution for this. It seems that the regex matcher can only match once, so when I had modify rules that looks for the same regex, it would only take the last one:

re:security.etnetera.cz “alert(.*)” “drop\1”

re:security.etnetera.cz “194.39.218.10(.*)” “!194.39.218.10\1”

Upon a rule reload the only modification that would occur would be whichever match came last, in the above example "re:security.etnetera.cz “194.39.218.10(.*)” “!194.39.218.10\1"”.

I got around this by matching on a different regex and adding to drop.conf

Drop.conf: group:etn_aggressive.rules

Modify.conf: re:194.39.218.10 “alert(.)194.39.218.10(.)” “drop\1!194.39.218.10\2”

Not sure if this is intended or if there is an enhancement that can be made to suricata-update.

Thanks,
Taylor

3

Just verified there is an issue with modify rules that would apply more than one modification to a rule. I’ve created a ticket for this bug:

https://redmine.openinfosecfoundation.org/issues/4259