Suricata-update & modify.conf

Hello,

I am struggling to modify a rule using modify.conf. suricata-update loads modify.conf as expected and shows correct number of modified rules, but when I check the rule in the /var/lib/suricata/rules/suricata.rules file I do not see my update.

The rule contains pcre statement, and I would like to modify that statement.
The rule contains:
pcre:"/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/";

I want to narrow the scope of the dotted quad.

Example of what I am trying to change via modify.conf:
2018358 re:"/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" “/^(?!100.1[2-3].d{1,3}.d{1-3}”

I am not 100% sure I have the correct syntax, but this variation does not cause suricata-update to fail parsing when run.

The I have not been able to find any documentation that provides insight.

Does the rule you want to modify have the SID 2018358? You could try:

2018358 "/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" “/^(?!100.1[2-3].d{1,3}.d{1-3}”

The “re:” is only if you are trying to modify a rule that matches a regular expression, but here you have a sid to find the rule to modify. If that still fails, try an extra ‘’, like /^\\d{1,3}...

Yes the rule is SID 2018358. I tried the example you provided, and modified.conf is loaded, I see the correct: Modified 4 Rules, but no modifications when suricata.rules is being written. I check suricata.rule file and no change.
23/2/2021 – 15:15:51 - – Loading /etc/suricata/modify.conf.


23/2/2021 – 15:16:06 - – Modified 4 rules.

23/2/2021 – 15:16:12 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 27631; enabled: 18946; added: 0; removed 0; modified: 0

This was originally a modifysid from oinkmaster. I attempted using with the same results.
modifysid 2018358 “/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}” | “/^(?!100.1[2-3].d{1,3}.d{1-3}”

I’m not sure how Oinkmaster works internally, but suricata-update basically passes through this data to re.sub, so to match a regex with a regex you have to add a whole lot of escaping. So something like this should work:

2018358 "/\^\\\d\{1,3\}\\\.\\\d\{1,3}\\\.\\\d\{1,3}\\\.\\\d\{1,3}" "/^(?!100.1[2-3].d{1,3}.d{1-3}"

The escaping was the issue. Thank you for providing additional insight on re: and how suricata-update handles the data. Much appreciated!

This now works and updates the rules file as expected.

2018358 “/^\\d{1,3}\.\\d{1,3}\.\\d{1,3}\.\\d{1,3}” “/^(?!100.1[2-3].d{1,3}.d{1-3})”