Suricata-update modify.conf

Rules
1

Hello, I am trying to create a modify.conf file to change some rules,
but when I run suricata-update, it says Modified 0 rules.

I am trying to change all rules from ETN to disable alert only for dns

here is my modify.conf file

    # ETN rules not DNS
    5000 "\] any " "\] !53 "
    5001 "\] any " "\] !53 "
    5002 "\] any " "\] !53 "
    5003 "\] any " "\] !53 "
    5004 "\] any " "\] !53 "
    5005 "\] any " "\] !53 "
    5006 "\] any " "\] !53 "
    5007 "\] any " "\] !53 "
    5008 "\] any " "\] !53 "
    5009 "\] any " "\] !53 "
    5010 "\] any " "\] !53 "
    5011 "\] any " "\] !53 "
    5012 "\] any " "\] !53 "
    5013 "\] any " "\] !53 "
    5014 "\] any " "\] !53 "
    5015 "\] any " "\] !53 "

here is the log from suricata-update:

root@ids-lan:/etc/suricata# suricata-update
10/9/2020 -- 10:16:40 - <Info> -- Loading /etc/suricata/update.yaml
10/9/2020 -- 10:16:40 - <Info> -- Using data-directory /var/lib/suricata.
10/9/2020 -- 10:16:40 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
10/9/2020 -- 10:16:40 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
10/9/2020 -- 10:16:40 - <Info> -- Found Suricata version 5.0.3 at /usr/bin/suricata.
10/9/2020 -- 10:16:40 - <Info> -- Loading /etc/suricata/disable.conf.
10/9/2020 -- 10:16:40 - <Info> -- Loading /etc/suricata/modify.conf.
10/9/2020 -- 10:16:40 - <Info> -- Loading /etc/suricata/suricata.yaml
10/9/2020 -- 10:16:40 - <Info> -- Fetching https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz.
 100% - 905830/905830                 
10/9/2020 -- 10:16:41 - <Info> -- Done.
10/9/2020 -- 10:16:41 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-5.0.3/emerging.rules.tar.gz.
10/9/2020 -- 10:16:41 - <Info> -- Fetching https://security.etnetera.cz/feeds/etn_aggressive.rules.
 100% - 39286/39286                   
10/9/2020 -- 10:16:41 - <Info> -- Done.
10/9/2020 -- 10:16:41 - <Info> -- Fetching https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.
 100% - 27731/27731                   
10/9/2020 -- 10:16:41 - <Info> -- Done.
10/9/2020 -- 10:16:41 - <Info> -- Fetching https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules.
 100% - 57001/57001                   
10/9/2020 -- 10:16:42 - <Info> -- Done.
10/9/2020 -- 10:16:42 - <Info> -- Loading local file /usr/share/suricata/rules/ipsec-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading local file /usr/share/suricata/rules/http-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading local file /usr/share/suricata/rules/custom.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading local file /usr/share/suricata/rules/dhcp-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading local file /usr/share/suricata/rules/smtp-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading local file /usr/share/suricata/rules/decoder-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
10/9/2020 -- 10:16:42 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
10/9/2020 -- 10:16:49 - <Info> -- Loaded 62786 rules.
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002228] ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: # [1:10002557] ATTACK AD [PTsecurity] DCShadow Replication Attempt
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: # [1:10002557] ATTACK AD [PTsecurity] DCShadow Replication Attempt
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: # [1:10002558] ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: # [1:10002558] ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: # [1:10002559] ATTACK [PTsecurity] DCShadow: Fake DC Creation
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: # [1:10002559] ATTACK [PTsecurity] DCShadow: Fake DC Creation
10/9/2020 -- 10:17:22 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10004153] ATTACK AD [PTsecurity] Possible MS-RPRN abuse. Hash or Ticket theft
10/9/2020 -- 10:17:22 - <Info> -- Disabled 1051 rules.
10/9/2020 -- 10:17:22 - <Info> -- Enabled 0 rules.
10/9/2020 -- 10:17:22 - <Info> -- Modified 0 rules.
10/9/2020 -- 10:17:22 - <Info> -- Dropped 0 rules.
10/9/2020 -- 10:17:23 - <Info> -- Enabled 286 rules for flowbit dependencies.
10/9/2020 -- 10:17:23 - <Info> -- Backing up current rules.
10/9/2020 -- 10:17:27 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 62786; enabled: 51938; added: 31924; removed 0; modified: 8
10/9/2020 -- 10:17:28 - <Info> -- Testing with suricata -T.
2

Hi @Joel-Costamagna!
Welcome to our forum!
Could you please tell the suricata-update version that you’re using?
Also, please make sure that the modify.conf that suricata-update is picking up is the same one where you are making changes.

3

Hi,
I am using Suricata 5.0.3 RELEASE with suricata-update version 1.0.3 on debian 10.5

I see in the debug log 2020-09-10 12:51:09,841 - <INFO> - Loading /etc/suricata/modify.conf which is the file I modified

what is strange is it says 2 different numbers: when downloading the rules it says

<INFO> - Disabled 1051 rules.
2020-09-10 12:51:49,662 - <INFO> - Enabled 0 rules.
2020-09-10 12:51:49,662 - <INFO> - Modified 0 rules.
2020-09-10 12:51:49,662 - <INFO> - Dropped 0 rules.

but when writing the rule I have different numbers:

2020-09-10 12:51:59,833 - <INFO> - Writing rules to /var/lib/suricata/rules/suricata.rules: total: 62838; enabled: 51990; added: 68; removed 51; modified: 58
4

Can you also provide an example of a rule you are trying to modify?

5

Sure, it is the rules from the etnetera/aggressive source in suricata-update

alert ip [212.33.199.121,193.169.145.194,107.189.11.80,107.175.95.101,113.118.161.51,104.244.72.99,104.206.128.6,185.220.101.210,2001:67c:28b8:ffff::21,193.118.53.139,83.97.20.21,83.97.20.29,60.206.36.157,195.80.151.30,203.99.24.1,188.40.110.183,125.40.191.139,91.244.181.85,121.169.222.102,192.241.235.11,104.248.253.241,140.206.86.125,212.89.235.202,46.166.129.156,45.154.255.67,104.244.76.245,139.99.172.11,104.206.128.26,78.159.103.52,80.82.77.139] any -> $HOME_NET any (msg:"ETN AGGRESSIVE IPs Group 55"; reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000055; rev:1599798002;)
alert ip [23.160.208.250,196.52.43.112,196.52.43.114,128.14.209.156,185.247.224.45,195.144.21.219,104.244.74.47,103.94.181.81,179.43.167.230,51.81.238.113,64.227.94.66,2001:678:90::1,151.237.185.110,85.207.99.200,213.226.203.178,119.130.243.248,87.118.96.154,192.241.224.20,185.142.239.49,51.81.82.242,113.118.163.158,182.125.38.100,185.182.217.27,196.52.43.87,51.81.81.188,91.109.29.77,194.0.16.215,193.17.251.107,2400:cb00:28:1024::6ca2:f421,51.81.82.195] any -> $HOME_NET any (msg:"ETN AGGRESSIVE IPs Group 56"; reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000056; rev:1599798002;)
alert ip [51.210.34.150,86.49.255.223,45.56.91.118,194.0.17.1,64.227.86.104,64.227.86.109,83.97.20.30,59.127.24.75,42.236.10.125,104.206.128.54,104.206.128.50,45.95.168.5,103.94.183.181,104.206.128.18,185.39.11.105,128.14.209.246,213.180.203.1,54.194.115.57,84.242.124.74,196.52.43.58,196.52.43.109,103.49.135.195,118.114.244.29,178.20.55.16,42.236.10.78,60.51.30.151,173.194.76.27,37.193.123.110,87.120.37.79,177.185.141.100] any -> $HOME_NET any (msg:"ETN AGGRESSIVE IPs Group 57"; reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000057; rev:1599798002;)
alert ip [149.28.200.199,138.68.100.212,46.243.12.99,221.162.16.133,114.250.127.2,71.6.146.186,203.166.158.2,211.175.14.187,82.117.239.183,210.13.110.61,60.53.209.95,123.231.248.178,192.241.228.76,171.232.249.75,192.241.228.213,193.118.55.146,218.244.47.186,94.102.51.95,114.32.26.40,196.52.43.65,104.140.188.30,196.52.43.119,196.52.43.111,92.124.129.242,222.217.65.61,54.227.205.14,173.231.59.202,185.81.157.132,173.231.59.208,85.237.234.148] any -> $HOME_NET any (msg:"ETN AGGRESSIVE IPs Group 58"; reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000058; rev:1599798002;)
alert ip [104.14.34.44,218.201.174.0,113.88.2.74,192.241.223.142,71.6.165.200,219.135.102.84,162.158.159.41,119.52.213.16,91.234.62.28,91.234.62.22,91.234.62.27,194.50.215.253,95.79.38.35,185.65.135.163,156.146.63.1,185.239.242.190,91.207.175.209,193.27.228.86,141.98.80.58,192.81.222.100,5.188.210.18,103.206.121.103,203.166.158.6,103.94.183.179,178.159.37.58,199.167.138.22,103.144.8.10,203.166.158.3,60.12.124.24,140.237.15.89] any -> $HOME_NET any (msg:"ETN AGGRESSIVE IPs Group 59"; reference:url,https://security.etnetera.cz/feeds/etn_aggressive.txt; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:5000059; rev:1599798002;)

I want to replace “any” with “!53” in all the rules for this source