#StackBounty: #regex #ips Suricata-update doesn't apply modify rules consistently

Bounty: 50

I have the following /etc/suricata/modify.conf file:

## Reject by classtype
re:classtype:s*attempted-user                       "alert(.*)" "reject\1"  # high    Attempted User Privilege Gain
re:classtype:s*unsuccessful-user                    "alert(.*)" "reject\1"  # high    Unsuccessful User Privilege Gain
re:classtype:s*successful-user                      "alert(.*)" "reject\1"  # high    Successful User Privilege Gain
re:classtype:s*attempted-admin                      "alert(.*)" "reject\1"  # high    Attempted Administrator Privilege Gain
re:classtype:s*successful-admin                     "alert(.*)" "reject\1"  # high    Successful Administrator Privilege Gain
re:classtype:s*shellcode-detect                     "alert(.*)" "reject\1"  # high    Executable code was detected
#re:classtype:s*trojan-activity                     "alert(.*)" "reject\1"  # high    A Network Trojan was detected
re:classtype:s*web-application-attack               "alert(.*)" "reject\1"  # high    Web Application Attack
#re:classtype:s*kickass-porn                        "alert(.*)" "reject\1"  # high    SCORE! Get the lotion! - WTF? JCA
re:classtype:s*policy-violation                     "alert(.*)" "reject\1"  # high    Potential Corporate Privacy Violation
re:classtype:s*targeted-activity                    "alert(.*)" "reject\1"  # high    Targeted Malicious Activity was Detected
re:classtype:s*exploit-kit                          "alert(.*)" "reject\1"  # high    Exploit Kit Activity Detected
re:classtype:s*domain-c2                            "alert(.*)" "reject\1"  # high    Domain Observed Used for C2 Detected
re:classtype:s*credential-theft                     "alert(.*)" "reject\1"  # high    Successful Credential Theft Detected
#re:classtype:s*bad-unknown                         "alert(.*)" "reject\1"  # medium  Potentially Bad Traffic
re:classtype:s*attempted-recon                      "alert(.*)" "reject\1"  # medium  Attempted Information Leak
re:classtype:s*successful-recon-limited             "alert(.*)" "reject\1"  # medium  Information Leak
re:classtype:s*successful-recon-largescale          "alert(.*)" "reject\1"  # medium  Large Scale Information Leak
re:classtype:s*attempted-dos                        "alert(.*)" "drop\1"    # medium  Attempted Denial of Service
re:classtype:s*successful-dos                       "alert(.*)" "drop\1"    # medium  Denial of Service
re:classtype:s*denial-of-service                    "alert(.*)" "drop\1"    # medium  Detection of a Denial of Service Attack
re:classtype:s*rpc-portmap-decode                   "alert(.*)" "reject\1"  # medium  Decode of an RPC Query
re:classtype:s*suspicious-filename-detect           "alert(.*)" "reject\1"  # medium  A suspicious filename was detected
re:classtype:s*suspicious-login                     "alert(.*)" "reject\1"  # medium  An attempted login using a suspicious usern
re:classtype:s*system-call-detect                   "alert(.*)" "reject\1"  # medium  A system call was detected
re:classtype:s*unusual-client-port-connection       "alert(.*)" "reject\1"  # medium  A client was using an unusual port
re:classtype:s*non-standard-protocol                "alert(.*)" "reject\1"  # medium  Detection of a non-standard protocol or eve
re:classtype:s*web-application-activity             "alert(.*)" "reject\1"  # medium  access to a potentially vulnerable web appl
re:classtype:s*misc-attack                          "alert(.*)" "reject\1"  # medium  Misc Attack
re:classtype:s*default-login-attempt                "alert(.*)" "reject\1"  # medium  Attempt to login by a default username and
#re:classtype:s*external-ip-check                   "alert(.*)" "reject\1"  # medium  Device Retrieving External IP Address Detec
re:classtype:s*pup-activity                         "alert(.*)" "reject\1"  # medium  Possibly Unwanted Program Detected
re:classtype:s*social-engineering                   "alert(.*)" "reject\1"  # medium  Possible Social Engineering Attempted
re:classtype:s*coin-mining                          "alert(.*)" "reject\1"  # medium  Crypto Currency Mining Activity Detected
#re:classtype:s*not-suspicious                      "alert(.*)" "reject\1"  # low     Not Suspicious Traffic
#re:classtype:s*unknown                             "alert(.*)" "reject\1"  # low     Unknown Traffic
#re:classtype:s*string-detect                       "alert(.*)" "reject\1"  # low     A suspicious string was detected
re:classtype:s*network-scan                         "alert(.*)" "reject\1"  # low     Detection of a Network Scan
#re:classtype:s*protocol-command-decode             "alert(.*)" "reject\1"  # low     Generic Protocol Command Decode
#re:classtype:s*misc-activity                       "alert(.*)" "reject\1"  # low     Misc activity
#re:classtype:s*icmp-event                          "alert(.*)" "reject\1"  # low     Generic ICMP event
#re:classtype:s*tcp-connection                      "alert(.*)" "reject\1"  # vlow    A TCP connection was detected


## Reject by rule id
1:2013926   "alert(.*)" "reject\1" # ET POLICY HTTP traffic on port 443 (POST)
1:2013927   "alert(.*)" "reject\1" # ET POLICY HTTP traffic on port 443 (HEAD)
1:2013928   "alert(.*)" "reject\1" # ET POLICY HTTP traffic on port 443 (PROPFIND)
1:2013931   "alert(.*)" "reject\1" # ET POLICY HTTP traffic on port 443 (DELETE)

# revert `noalert;` rules
re:.        "(drop|reject)(.*) noalert;" "alert\2 noalert;"

The problem is the final rule, re:. "(drop|reject)(.*) noalert;" "alert\2 noalert;". It skips some suricata rules. For example:

drop tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; noalert; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

The simplest explanation is that there is something wrong with my regex, but I can’t see what. And my tests with regex101 indicate it should be working. And, in fact, there are many other suricata rules which do get modified correctly.

What gives? Is this a bug? Am I missing something? The official OISF support channels haven’t been particularly helpful with this.


Get this bounty!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.