Project

General

Profile

Actions

Support #3511

closed

modify regexes not being applied reliably

Added by J Cliff Armstrong almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

from the documentation (https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules):

Example converting all drop rules with noalert back to alert:

re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2" 

This fails to work on the following rule (leaves it unmodified):

drop tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; noalert; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

I've tested this regex (https://regex101.com/r/rqBaSC/3) and it should be applied to this rule, but is not. It is not only this rule that is effected. I have not been able to identify why this rule or any other is being exempted from modification.


Files

modify.conf (5.92 KB) modify.conf /etc/suricata/modify.conf J Cliff Armstrong, 03/09/2020 10:43 PM

Related issues 1 (0 open1 closed)

Related to Suricata-Update - Documentation #3535: Document the order in which configuration is applied to rulesClosedShivani BhardwajActions
Actions

Also available in: Atom PDF