Suricata SID invert or exclude in drop conf

basicmonkey

Hello all,

I have a drop SID conf file that matches:

emerging-

pcre:security-ips
pcre:balanced-ips
pcre:connected-ips

I'd like to exclude a pcre match from this so that it remains on alert.

I've tried using ! matches or exclusions in the pcre expression but neither seem to work.

Currently I'm matching the items to ignore in disabled SID conf:

pcre:covid-19 domain

But that leaves them disabled as opposed to just not alerting. Is there a way of adding a line to exclude or invert items in the conf files?

Many thanks,

James

bmeeks

No, unfortunately not. The regex engine in the package is not that smart. You will need to manually edit the specific rule or rules by finding the rule on the RULES tab and then clicking the icons there to change action or state. Those changes have the highest precedence, and are processed AFTER the SID MGMT tab options are processed.

The precedence for rules processing goes like this: (1) the defaults published from the rules vendor; (2) changes configured via the SID MGMT tab; (3) user-forced enable/disable or alert/drop changes using the icons available on the ALERTS and RULES tabs.

basicmonkey

Thanks @bmeeks. That's a shame.

Would be a great feature to be able to add !pcre:covid-19 domain or similar above the other values to ignore as a first match.

Hopefully a valid feature request!