My custom.yaml file has address-groups that my suricata.yaml does not.
For my environment, I cannot replace/update the ‘suricata.yaml’ file for suricata, but I can update and maintain the ‘custom.yaml’ file for suricata.
What has happened is I have custom rules that use some very custom address-groups and suricata-update doesn’t see the var name in the ‘suricata.yaml’ address-groups and disables those rules.
Could we add the ability to parse/include the custom.yaml file next to the suricata.yaml file, after the suricata.yaml file so the options are correct for reference (address-groups for me would get updated/replaced by my custom.yaml and I would want to use the updated values from custom.yaml)?
And after some testing, I found this did not fix it
This rule modification does not appear to process correctly:
3300303 "any any -> any" "[any, ![$EXTERNAL_IP, $REVERSE_PROXY_HOSTS, $ODD_HTTP_HOSTS]] any -> [any, ![$EXTERNAL_IP, $REVERSE_PROXY_HOSTS, $ODD_HTTP_HOSTS]]"
The rule normally reads:
any any -> any any ...
Specifically it mentions that the port-group vars did not exist, which I kept thinking was odd. It would seem the issue is actually doing two any replacements on source and destination, and not doing the replacement or matching vars correctly?
Default paths may differ based on installation options.
But this does merge the includes into the output, which you should see if you run the command.
When Suricata-Update finds vars that don’t exist it will output something like:
Notes:
* A rule has been disabled due to the unknown address-group variable
MY_HTTP_HOSTS being used. You may want to add this variable to your
Suricata configuration file.
This actually appears to be a bug in Suricata update not parsing the variable lists correctly. Its picking up part of the address group as a port group, seeing that port group doesn’t exist and disabling the rule. Looking into it.