У меня есть следующие /etc/suricata/modify.conf
файл:
## Reject by classtype
re:classtype:\s*attempted-user "alert(.*)" "reject\\1" # high Attempted User Privilege Gain
re:classtype:\s*unsuccessful-user "alert(.*)" "reject\\1" # high Unsuccessful User Privilege Gain
re:classtype:\s*successful-user "alert(.*)" "reject\\1" # high Successful User Privilege Gain
re:classtype:\s*attempted-admin "alert(.*)" "reject\\1" # high Attempted Administrator Privilege Gain
re:classtype:\s*successful-admin "alert(.*)" "reject\\1" # high Successful Administrator Privilege Gain
re:classtype:\s*shellcode-detect "alert(.*)" "reject\\1" # high Executable code was detected
#re:classtype:\s*trojan-activity "alert(.*)" "reject\\1" # high A Network Trojan was detected
re:classtype:\s*web-application-attack "alert(.*)" "reject\\1" # high Web Application Attack
#re:classtype:\s*kickass-porn "alert(.*)" "reject\\1" # high SCORE! Get the lotion! - WTF? JCA
re:classtype:\s*policy-violation "alert(.*)" "reject\\1" # high Potential Corporate Privacy Violation
re:classtype:\s*targeted-activity "alert(.*)" "reject\\1" # high Targeted Malicious Activity was Detected
re:classtype:\s*exploit-kit "alert(.*)" "reject\\1" # high Exploit Kit Activity Detected
re:classtype:\s*domain-c2 "alert(.*)" "reject\\1" # high Domain Observed Used for C2 Detected
re:classtype:\s*credential-theft "alert(.*)" "reject\\1" # high Successful Credential Theft Detected
#re:classtype:\s*bad-unknown "alert(.*)" "reject\\1" # medium Potentially Bad Traffic
re:classtype:\s*attempted-recon "alert(.*)" "reject\\1" # medium Attempted Information Leak
re:classtype:\s*successful-recon-limited "alert(.*)" "reject\\1" # medium Information Leak
re:classtype:\s*successful-recon-largescale "alert(.*)" "reject\\1" # medium Large Scale Information Leak
re:classtype:\s*attempted-dos "alert(.*)" "drop\\1" # medium Attempted Denial of Service
re:classtype:\s*successful-dos "alert(.*)" "drop\\1" # medium Denial of Service
re:classtype:\s*denial-of-service "alert(.*)" "drop\\1" # medium Detection of a Denial of Service Attack
re:classtype:\s*rpc-portmap-decode "alert(.*)" "reject\\1" # medium Decode of an RPC Query
re:classtype:\s*suspicious-filename-detect "alert(.*)" "reject\\1" # medium A suspicious filename was detected
re:classtype:\s*suspicious-login "alert(.*)" "reject\\1" # medium An attempted login using a suspicious usern
re:classtype:\s*system-call-detect "alert(.*)" "reject\\1" # medium A system call was detected
re:classtype:\s*unusual-client-port-connection "alert(.*)" "reject\\1" # medium A client was using an unusual port
re:classtype:\s*non-standard-protocol "alert(.*)" "reject\\1" # medium Detection of a non-standard protocol or eve
re:classtype:\s*web-application-activity "alert(.*)" "reject\\1" # medium access to a potentially vulnerable web appl
re:classtype:\s*misc-attack "alert(.*)" "reject\\1" # medium Misc Attack
re:classtype:\s*default-login-attempt "alert(.*)" "reject\\1" # medium Attempt to login by a default username and
#re:classtype:\s*external-ip-check "alert(.*)" "reject\\1" # medium Device Retrieving External IP Address Detec
re:classtype:\s*pup-activity "alert(.*)" "reject\\1" # medium Possibly Unwanted Program Detected
re:classtype:\s*social-engineering "alert(.*)" "reject\\1" # medium Possible Social Engineering Attempted
re:classtype:\s*coin-mining "alert(.*)" "reject\\1" # medium Crypto Currency Mining Activity Detected
#re:classtype:\s*not-suspicious "alert(.*)" "reject\\1" # low Not Suspicious Traffic
#re:classtype:\s*unknown "alert(.*)" "reject\\1" # low Unknown Traffic
#re:classtype:\s*string-detect "alert(.*)" "reject\\1" # low A suspicious string was detected
re:classtype:\s*network-scan "alert(.*)" "reject\\1" # low Detection of a Network Scan
#re:classtype:\s*protocol-command-decode "alert(.*)" "reject\\1" # low Generic Protocol Command Decode
#re:classtype:\s*misc-activity "alert(.*)" "reject\\1" # low Misc activity
#re:classtype:\s*icmp-event "alert(.*)" "reject\\1" # low Generic ICMP event
#re:classtype:\s*tcp-connection "alert(.*)" "reject\\1" # vlow A TCP connection was detected
## Reject by rule id
1:2013926 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (POST)
1:2013927 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (HEAD)
1:2013928 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (PROPFIND)
1:2013931 "alert(.*)" "reject\\1" # ET POLICY HTTP traffic on port 443 (DELETE)
# revert `noalert;` rules
re:. "(drop|reject)(.*) noalert;" "alert\\2 noalert;"
Проблема - это последнее правило, re:. "(drop|reject)(.*) noalert;" "alert\\2 noalert;"
. Он пропускает некоторые правила сурикаты. Например:
drop tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; noalert; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
Самое простое объяснение заключается в том, что с моим регулярным выражением что-то не так, но я не могу понять, что именно. И мой тесты с regex101 указывает, что он должен работать. И, на самом деле, есть много других правил сурикаты, которые изменяются правильно.
Что дает? Это ошибка? Я что-то упускаю? Официальные каналы поддержки OISF не особо помогли в этом.