Suricata-update - modify.conf and $EXTERNAL_NET

Michael_Doggendorf · February 19, 2021, 8:55pm

Hello all,

I need to replace the $EXTERNAL_NET in several ET rules with $HOME_NET using the modify.conf file and suricata-update.

I’ve tried several variations of this:

re:“alert tcp $EXTERNAL_NET” “tcp $EXTERNAL_NET” “tcp $HOME_NET”

but none of them are working.

We’ve been using this for rule with “any” with no problem for over a year now, however:

re:“alert tcp any” “alert tcp any” “alert tcp $HOME_NET”

How would I go about replacing $EXTERNAL_NET with $HOME_NET?

Please let me know.

Thanks!

ish · February 19, 2021, 9:04pm

Try:

re:"alert tcp \\$EXTERNAL_NET" "tcp \\$EXTERNAL_NET" "tcp $HOME_NET"

$ has special meaning in the match side of a regular expression. And for some reason we have to double escape, I think due to compatibility with tools that existed before suricata-update.

Michael_Doggendorf · February 19, 2021, 9:08pm

That did it. I tried a single backslash before, but I didn’t know about the double backslash. Thanks!

Topic		Replies	Views
Modify.conf possibly not working, probably a newbie error?	7	694	January 26, 2023
Modify.conf question Rules	2	448	November 25, 2021
$HOME_NET in suricata rule ignored? Rules rules , suricata	2	226	December 18, 2023
How can I modify a suricata rule for complete URL not just the domain name Rules community , rules , suricata	1	1295	July 25, 2022
Outbound traffic Rules	1	663	October 28, 2021

Suricata-update - modify.conf and $EXTERNAL_NET

Related Topics