[Oisf-users] suricata update modify
Slava Bendersky
volga629 at networklab.ca
Fri Oct 19 16:44:07 UTC 2018
Hello Jason,
Thank you, you solution is helped resolve the issue.
As side note. When matched traffic is marked is it make sense set it as DROP in rule action ? Or just let firewall put source ip in ipset with timeout and then just drop.
Slava.
From: "Jason Ish" <ish at unx.ca>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Thursday, October 18, 2018 2:37:49 PM
Subject: Re: [Oisf-users] suricata update modify
Hi Slava,
On Thu, Oct 18, 2018 at 5:58 AM Slava Bendersky < [ mailto:volga629 at networklab.ca | volga629 at networklab.ca ] > wrote:
Hello Everyone,
Can't figure out how to insert nfq connection mark in drop rules in /etc/suricata/modify.conf.
First one works, second incorrect.
Any help thank you.
re:. ^alert drop
re:. ";)$" "; nfq_set_mark:0x2\/0xffffffff;)"
In your second line you'll have to escape the ')' as its not part of a regular expression grouping, so this will have it looking like:
re:. ";\)$" "; nfq_set_mark:0x2\/0xffffffff;)"
Also, in your "to" expression you should not be escaping the "/", this will result in a rule that won't be loaded by Suricata. So what I think you are looking for is:
re:. ";\)$" "; nfq_set_mark:0x2/0xffffffff;)"
Hope that helps,
Jason
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181019/bbac364c/attachment.html>
More information about the Oisf-users
mailing list