Are there example of tuning syntax regarding new tune detection feature?

[Syngelik]

As the title indicates, I'm looking for examples when tuning, specifically when using the modify choice. In my case, I have a couple rules where I'd like a couple parent domains to not trigger perl or curl user-agent rules. If I wanted to "whitelist" say microsoft.com, where can I find what that would look like?

[cm-ops]

You could add a content keyword https://docs.suricata.io/en/suricata-7.0.5/rules/payload-keywords.html something like content: !"microsoft.com";.

[sutehk-cs]

I would appreciate this as well. I've tried all kinds of inputs to no avail. I've defaulted to editing the rule itself for now.

[cm-ops]

@Syngelik give me an example SID please.

[Syngelik]

@cm-ops The original rules that I was trying to modify with the tune detection tool were 2013028, 2013030, or 2013031

[cm-ops]

Rule after modify:

[root@so-standalone ~]# grep 2013028 /opt/so/rules/nids/suri/all.rules
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"curl/"; nocase; startswith; content: !"microsoft.com"; nocase; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:8; metadata:created_at 2011_06_14, deprecation_reason Performance, updated_at 2024_07_02;)