Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata custom.rules payloads doesn't block or alert

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      p-root
      last edited by

      Pfsense : 2.3.2
      Suricata : 3.0_7

      Hi,
      I make my own rules for testing payloads with content keywords in custom.rules, but they doesn't work  ???
      Content keyword : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords

      My rules :

      Payload content keyword : "........netcore" or "|2E 2E 2E 2E 2E 2E 2E 2E|netcore"
      
      alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"........netcore"; depth:15; classtype:attempted-admin; sid:9900001; rev:1;)
      
      alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"|2E 2E 2E 2E 2E 2E 2E 2E|netcore"; depth:15; classtype:attempted-admin; sid:9900002; rev:1;)
      
      

      Result with both rules : No alert, no block.

      Working fine only with threshold options :

      alert udp any any <> any 53413 (msg:"test netcore exploit"; threshold: type threshold, track by_src, count 1, seconds 60; classtype:attempted-admin; sid:9900003; rev:1;)
      
      

      Result : Alert and block

      Anyone ?

      Thank you  ;)

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        Just use…

        alert udp any any -> any 53413 (msg:"test netcore exploit"; content:"netcore"; depth:16; classtype:attempted-admin; sid:9900002; rev:1;)
        
        

        F.

        1 Reply Last reply Reply Quote 0
        • P
          p-root
          last edited by

          Wrong depth keyboard in my rules.

          Thank's fsansfil,
          your rule works like a charm  ;)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.