[Oisf-users] suricata update modify

Slava Bendersky volga629 at networklab.ca
Fri Oct 19 16:44:07 UTC 2018

Hello Jason, 
Thank you, you solution is helped resolve the issue. 
As side note. When matched traffic is marked is it make sense set it as DROP in rule action ? Or just let firewall put source ip in ipset with timeout and then just drop. 


From: "Jason Ish" <ish at unx.ca> 
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org> 
Sent: Thursday, October 18, 2018 2:37:49 PM 
Subject: Re: [Oisf-users] suricata update modify 

Hi Slava, 

On Thu, Oct 18, 2018 at 5:58 AM Slava Bendersky < [ mailto:volga629 at networklab.ca | volga629 at networklab.ca ] > wrote: 

Hello Everyone, 
Can't figure out how to insert nfq connection mark in drop rules in /etc/suricata/modify.conf. 
First one works, second incorrect. 
Any help thank you. 

re:. ^alert drop 
re:. ";)$" "; nfq_set_mark:0x2\/0xffffffff;)" 

In your second line you'll have to escape the ')' as its not part of a regular expression grouping, so this will have it looking like: 

re:. ";\)$" "; nfq_set_mark:0x2\/0xffffffff;)" 

Also, in your "to" expression you should not be escaping the "/", this will result in a rule that won't be loaded by Suricata. So what I think you are looking for is: 

re:. ";\)$" "; nfq_set_mark:0x2/0xffffffff;)" 

Hope that helps, 

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 

Conference: https://suricon.net 
Trainings: https://suricata-ids.org/training/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181019/bbac364c/attachment.html>

More information about the Oisf-users mailing list