Can not use suricata address-book names in address-group definitions

[TheRealPancakes]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

48

RAM

512G

Storage for /

445.07 GiB

Storage for /nsm

11.64 TiB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

In my experience it is common to define suricata's EXTERNAL_NET as "!$HOME_NET" in deployment scenarios where the sensor isn't tasked with detection of lateral movement. This was possible in 2.4.60 but the CIDR regex check in place on 2.4.70 prevents the use of address-book names in address-group definitions with error "You must enter a valid IP address or CIDR." Also, many of the default address-book definitions include address-book names, so it doesn't seem correct to restrict custom definitions to CIDR or IP.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

We've created an issue to fix this:
#13136