I’m attempting put together a rule that compares two strings in a log event. What I’d like to do is grab an ICMP echo request and then compare two strings from a log event. The rule should trigger if the two strings “DO NOT” match. Those two specific strings are going to be the values of bytes_toserver and bytes_toclient from flow logs. For example:
“flow”:{“pkts_toserver”:1,“pkts_toclient”:0,“bytes_toserver”:60,“bytes_toclient”:0,
Is there a way to take a value and then store into a variable for comparison? I’ve read a bit through the Suricata documentation, but am unable to find anything that outright meets this need. Below is a rule that works so far that triggers on ‘all’ ICMP requests minus the string matching that I need.
alert icmp $INTERNAL_NETWORK any → ![$INTERNAL_NETWORK,$KNOWN_GOOD] any (msg:“PROTOCOL-ICMP PING Non_Matching Bytes”; itype:8; threshold: type both, track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 7200; classtype:misc-activity; sid:1234; rev:1;)