Suricata-update - modify.conf and $EXTERNAL_NET

Michael_Doggendorf · February 19, 2021, 8:55pm

Hello all,

I need to replace the $EXTERNAL_NET in several ET rules with $HOME_NET using the modify.conf file and suricata-update.

I’ve tried several variations of this:

re:“alert tcp $EXTERNAL_NET” “tcp $EXTERNAL_NET” “tcp $HOME_NET”

but none of them are working.

We’ve been using this for rule with “any” with no problem for over a year now, however:

re:“alert tcp any” “alert tcp any” “alert tcp $HOME_NET”

How would I go about replacing $EXTERNAL_NET with $HOME_NET?

Please let me know.

Thanks!

ish · February 19, 2021, 9:04pm

Try:

re:"alert tcp \\$EXTERNAL_NET" "tcp \\$EXTERNAL_NET" "tcp $HOME_NET"

$ has special meaning in the match side of a regular expression. And for some reason we have to double escape, I think due to compatibility with tools that existed before suricata-update.

Michael_Doggendorf · February 19, 2021, 9:08pm

That did it. I tried a single backslash before, but I didn’t know about the double backslash. Thanks!

Topic		Replies	Views
Modify.conf possibly not working, probably a newbie error?	7	798	January 26, 2023
Modify.conf question Rules	2	484	November 25, 2021
Rule has unknown dest port var and will be disabled Rules	4	924	July 13, 2022
Only getting alerts if $home_net and $external_net are set to "any" Help	1	1536	October 14, 2020
Suricata-update modify.conf Rules	4	1750	September 11, 2020

Suricata-update - modify.conf and $EXTERNAL_NET

Related Topics