[Oisf-users] suricata-update modify does not appear to work any more ?
Russell Fulton
r.fulton at auckland.ac.nz
Wed May 1 03:08:11 UTC 2019
I have now established that some mods are working as expected! They just don’t trigger a message in the verbose output and that confused me.
So presumably that means that there is something wrong with the pattern matching.
The obvious thing would be the escaping of the ‘$’. How should this be handled. ( sample rule below).
> 2014734 "\$HOME_NET" "[\$HOME_NET, !130.216.2.97]”
Ah! you need to escape the backslash as well, of course.
> 2014734 “\\$HOME_NET" "[\$HOME_NET, !130.216.2.97]”
works.
Apologies for the noise!
Russell
> On 1/05/2019, at 10:50 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> I have just realised that my rules in the modify.conf appear to be being ignored.
>
> I get a line saying that the file has been read but I don’t see any “Modifying … “ message in the debug output and the rules remain unchanged. I don’t know when it stopped working.
>
> There are no warnings or errors...
>
> I have a hand full of rules that I want want to change the address filters for (. e.g. $HOME_NET) to exclude particular hosts.
>
> sample rule:
>
> 2014734 "\$HOME_NET" "[\$HOME_NET, !130.216.2.97]"
>
> Russell
More information about the Oisf-users
mailing list