I am struggling to modify a rule using modify.conf. suricata-update loads modify.conf as expected and shows correct number of modified rules, but when I check the rule in the /var/lib/suricata/rules/suricata.rules file I do not see my update.
The rule contains pcre statement, and I would like to modify that statement.
The rule contains:
pcre:"/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/";
I want to narrow the scope of the dotted quad.
Example of what I am trying to change via modify.conf:
2018358 re:"/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}" “/^(?!100.1[2-3].d{1,3}.d{1-3}”
I am not 100% sure I have the correct syntax, but this variation does not cause suricata-update to fail parsing when run.
The I have not been able to find any documentation that provides insight.
The “re:” is only if you are trying to modify a rule that matches a regular expression, but here you have a sid to find the rule to modify. If that still fails, try an extra '', like /^\\d{1,3}...…
Yes the rule is SID 2018358. I tried the example you provided, and modified.conf is loaded, I see the correct: Modified 4 Rules, but no modifications when suricata.rules is being written. I check suricata.rule file and no change.
23/2/2021 – 15:15:51 - – Loading /etc/suricata/modify.conf.
…
…
23/2/2021 – 15:16:06 - – Modified 4 rules.
…
23/2/2021 – 15:16:12 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 27631; enabled: 18946; added: 0; removed 0; modified: 0
This was originally a modifysid from oinkmaster. I attempted using with the same results.
modifysid 2018358 “/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}” | “/^(?!100.1[2-3].d{1,3}.d{1-3}”
I’m not sure how Oinkmaster works internally, but suricata-update basically passes through this data to re.sub, so to match a regex with a regex you have to add a whole lot of escaping. So something like this should work: