Suricata signature regex not matching if IPS in drop mode
Closed this issue · 1 comments
d307473 commented
The regex for suricata signature field is not matching when in IPS (drop) mode. Current regex from https://github.com/ZachChristensen28/TA-opnsense/blob/master/default/transforms.conf#L232 :
[opnsense_suricata_signature]
REGEX = suricata\[[^\]]+\]\:\s+\[[^\]]+\]\s+([^\]]+)\s+\[
FORMAT = signature::"$1"
will match (Suricata IDS mode):
Sep 16 23:36:24 192.168.0.254 Sep 17 01:36:24 opnsense suricata[61590]: [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27006 -> 192.168.0.200:80
Sep 16 23:36:24 192.168.0.254 Sep 17 01:36:24 opnsense suricata[61590]: [1:2006445:13] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27006 -> 192.168.0.200:80
Sep 16 23:24:07 192.168.0.254 Sep 17 01:24:07 opnsense suricata[61590]: [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27098 -> 192.168.0.200:80
example: https://regexr.com/65pje
but will not match (Suricata IPS mode):
Sep 16 23:38:17 192.168.0.254 Sep 17 01:38:17 opnsense suricata[61590]: [Drop] [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27003 -> 192.168.0.200:80
Sep 16 23:38:17 192.168.0.254 Sep 17 01:38:17 opnsense suricata[61590]: [Drop] [1:2006445:13] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27003 -> 192.168.0.200:80
Sep 16 23:37:36 192.168.0.254 Sep 17 01:37:28 opnsense suricata[61590]: [Drop] [1:2006446:13] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.0.100:27072 -> 192.168.0.200:80
example: https://regexr.com/65pjh
Solution is to add a optional token for "[Drop]":
[opnsense_suricata_signature]
REGEX = suricata\[[^\]]+\]\:\s+(\[.*\]\s+)?\[[^\]]+\]\s+([^\]]+)\s+\[
FORMAT = signature::"$2"
cheers
ZachChristensen28 commented
Thanks for pointing this out! Please let us know if you come across any more issues.