rba-community/TA-opnsense

Suricata signature regex not matching if IPS in drop mode

Closed this issue · 1 comments

d307473 commented

The regex for suricata signature field is not matching when in IPS (drop) mode. Current regex from https://github.com/ZachChristensen28/TA-opnsense/blob/master/default/transforms.conf#L232 :

[opnsense_suricata_signature]
REGEX  = suricata\[[^\]]+\]\:\s+\[[^\]]+\]\s+([^\]]+)\s+\[
FORMAT = signature::"$1"

will match (Suricata IDS mode):

Sep 16 23:36:24 192.168.0.254 Sep 17 01:36:24 opnsense suricata[61590]: [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27006 -> 192.168.0.200:80
Sep 16 23:36:24 192.168.0.254 Sep 17 01:36:24 opnsense suricata[61590]: [1:2006445:13] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27006 -> 192.168.0.200:80
Sep 16 23:24:07 192.168.0.254 Sep 17 01:24:07 opnsense suricata[61590]: [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27098 -> 192.168.0.200:80

example: https://regexr.com/65pje

but will not match (Suricata IPS mode):

Sep 16 23:38:17 192.168.0.254 Sep 17 01:38:17 opnsense suricata[61590]: [Drop] [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27003 -> 192.168.0.200:80
Sep 16 23:38:17 192.168.0.254 Sep 17 01:38:17 opnsense suricata[61590]: [Drop] [1:2006445:13] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27003 -> 192.168.0.200:80
Sep 16 23:37:36 192.168.0.254 Sep 17 01:37:28 opnsense suricata[61590]: [Drop] [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27072 -> 192.168.0.200:80

example: https://regexr.com/65pjh

Solution is to add a optional token for "[Drop]":

[opnsense_suricata_signature]
REGEX = suricata\[[^\]]+\]\:\s+(\[.*\]\s+)?\[[^\]]+\]\s+([^\]]+)\s+\[
FORMAT = signature::"$2"

cheers

ZachChristensen28 commented

Thanks for pointing this out! Please let us know if you come across any more issues.