Suricata-update 不一致地应用修改规则

tag-icon tag-icon regex ips
Suricata-update 不一致地应用修改规则

我有以下/etc/suricata/modify.conf文件:

## Reject by classtype
re:classtype:\s*attempted-user                       "alert(.*)" "reject\\1"  # high    Attempted User Privilege Gain
re:classtype:\s*unsuccessful-user                    "alert(.*)" "reject\\1"  # high    Unsuccessful User Privilege Gain
re:classtype:\s*successful-user                      "alert(.*)" "reject\\1"  # high    Successful User Privilege Gain
re:classtype:\s*attempted-admin                      "alert(.*)" "reject\\1"  # high    Attempted Administrator Privilege Gain
re:classtype:\s*successful-admin                     "alert(.*)" "reject\\1"  # high    Successful Administrator Privilege Gain
re:classtype:\s*shellcode-detect                     "alert(.*)" "reject\\1"  # high    Executable code was detected
#re:classtype:\s*trojan-activity                     "alert(.*)" "reject\\1"  # high    A Network Trojan was detected
re:classtype:\s*web-application-attack               "alert(.*)" "reject\\1"  # high    Web Application Attack
#re:classtype:\s*kickass-porn                        "alert(.*)" "reject\\1"  # high    SCORE! Get the lotion! - WTF? JCA
re:classtype:\s*policy-violation                     "alert(.*)" "reject\\1"  # high    Potential Corporate Privacy Violation
re:classtype:\s*targeted-activity                    "alert(.*)" "reject\\1"  # high    Targeted Malicious Activity was Detected
re:classtype:\s*exploit-kit                          "alert(.*)" "reject\\1"  # high    Exploit Kit Activity Detected
re:classtype:\s*domain-c2                            "alert(.*)" "reject\\1"  # high    Domain Observed Used for C2 Detected
re:classtype:\s*credential-theft                     "alert(.*)" "reject\\1"  # high    Successful Credential Theft Detected
#re:classtype:\s*bad-unknown                         "alert(.*)" "reject\\1"  # medium  Potentially Bad Traffic
re:classtype:\s*attempted-recon                      "alert(.*)" "reject\\1"  # medium  Attempted Information Leak
re:classtype:\s*successful-recon-limited             "alert(.*)" "reject\\1"  # medium  Information Leak
re:classtype:\s*successful-recon-largescale          "alert(.*)" "reject\\1"  # medium  Large Scale Information Leak
re:classtype:\s*attempted-dos                        "alert(.*)" "drop\\1"    # medium  Attempted Denial of Service
re:classtype:\s*successful-dos                       "alert(.*)" "drop\\1"    # medium  Denial of Service
re:classtype:\s*denial-of-service                    "alert(.*)" "drop\\1"    # medium  Detection of a Denial of Service Attack
re:classtype:\s*rpc-portmap-decode                   "alert(.*)" "reject\\1"  # medium  Decode of an RPC Query
re:classtype:\s*suspicious-filename-detect           "alert(.*)" "reject\\1"  # medium  A suspicious filename was detected
re:classtype:\s*suspicious-login                     "alert(.*)" "reject\\1"  # medium  An attempted login using a suspicious usern
re:classtype:\s*system-call-detect                   "alert(.*)" "reject\\1"  # medium  A system call was detected
re:classtype:\s*unusual-client-port-connection       "alert(.*)" "reject\\1"  # medium  A client was using an unusual port
re:classtype:\s*non-standard-protocol                "alert(.*)" "reject\\1"  # medium  Detection of a non-standard protocol or eve
re:classtype:\s*web-application-activity             "alert(.*)" "reject\\1"  # medium  access to a potentially vulnerable web appl
re:classtype:\s*misc-attack                          "alert(.*)" "reject\\1"  # medium  Misc Attack
re:classtype:\s*default-login-attempt                "alert(.*)" "reject\\1"  # medium  Attempt to login by a default username and
#re:classtype:\s*external-ip-check                   "alert(.*)" "reject\\1"  # medium  Device Retrieving External IP Address Detec
re:classtype:\s*pup-activity                         "alert(.*)" "reject\\1"  # medium  Possibly Unwanted Program Detected
re:classtype:\s*social-engineering                   "alert(.*)" "reject\\1"  # medium  Possible Social Engineering Attempted
re:classtype:\s*coin-mining                          "alert(.*)" "reject\\1"  # medium  Crypto Currency Mining Activity Detected
#re:classtype:\s*not-suspicious                      "alert(.*)" "reject\\1"  # low     Not Suspicious Traffic
#re:classtype:\s*unknown                             "alert(.*)" "reject\\1"  # low     Unknown Traffic
#re:classtype:\s*string-detect                       "alert(.*)" "reject\\1"  # low     A suspicious string was detected
re:classtype:\s*network-scan                         "alert(.*)" "reject\\1"  # low     Detection of a Network Scan
#re:classtype:\s*protocol-command-decode             "alert(.*)" "reject\\1"  # low     Generic Protocol Command Decode
#re:classtype:\s*misc-activity                       "alert(.*)" "reject\\1"  # low     Misc activity
#re:classtype:\s*icmp-event                          "alert(.*)" "reject\\1"  # low     Generic ICMP event
#re:classtype:\s*tcp-connection                      "alert(.*)" "reject\\1"  # vlow    A TCP connection was detected


## Reject by rule id
1:2013926   "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (POST)
1:2013927   "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (HEAD)
1:2013928   "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (PROPFIND)
1:2013931   "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (DELETE)

# revert `noalert;` rules
re:.        "(drop|reject)(.*) noalert;" "alert\\2 noalert;"

问题在于最后一条规则re:. "(drop|reject)(.*) noalert;" "alert\\2 noalert;"。它跳过了一些 suricata 规则。例如:

drop tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; noalert; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)

最简单的解释就是我的正则表达式有问题,但我看不出是什么问题。而且我的测试使用 regex101 表示它应该可以工作。事实上,还有许多其他 suricata 规则确实得到了正确的修改。

怎么回事?这是个 bug 吗?我是不是漏掉了什么?官方 OISF 支持渠道对此并没有提供特别的帮助。

相关内容