Problems with using regex in disablesid.conf (not a standard regex problem)
-
Hello,
I'm on pfsense 23.09.1 with suricata 7.0.2_3 (same on 7.0.2_2).
My goal is to disable signatures based on the year in their cve reference.
This should be easy with sid_mgmt.
There I can disable cves one by one using e.g.
cve:2008-3018
This works fine, but the moment I start using a regex for matching it doesn't.
I tried the following versions:- cve:20(0\d|1[0-8])-\d+
- cve:2008-\d+#derived from example cve:2000-\d+ given in sampledisablesid.conf, so this should definitely be valid.
- pcre:cve[,.]20(0\d|1\d-\d+#tried with and without wrapping it in .* to match the whole signature string.
- pcre:.*#this strangely does work and correctly disables anything
- cve:.*#but this again doesn't
The regexes itself are confirmed to match the cves in the signatures by an external pcre engine.
Since specifying the wole cve disables corresponding signatures, I know the problem is not some general sid_mgmt problem, like having rules force enabled, or not updating correctly.
Also the the external testing and the result of "cve:.*" indicates, that this is not just a I got my regex wrong thing.So now my questions are, If there is anything special in comparison with other pcre implementations, which could cause the otherwise valid regex to stop working and secondly what could cause the nearly literal example and the trivial regex to break, when used with cve:?
I wish you a happy Christmas weekend