Suricata rule modification in SOC GUI

[Zer0-cyber-web]

Version

2.4.170

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

32

Storage for /

500Gb

Storage for /nsm

16Tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi!
Can any one point me please the right direction to search about Suricata rule modification in SOC GUI?
My task is to modify Suricata rule #2026889 with SOC instruments, which is following:
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2022_11_21;)
It detects all DNS requests for .icu domains.
While I have blocked on DNS-server all requests for domain "cc.cloudad.icu", which is the only domain this rule detects in my network, I would like to have all other .icu domains to be detected.
The only documentation about using SOC for this purpose I found here, but it has very small info about details...
Suricata rule format sais that I need to use pcre command in order to exclude domain "cc.cloudad.icu" from rule:
pcre:"!/cc\.cloudad\.icu/"
but - how exactly I should enter this command in SOC GUI - I was unable to find...

So - any help would be very appreciated!!

PS: of course, I can modify source of this rule in all.rules file. But next Suricata rule update will overwright my modifications, so I believe right way to do this - is throug using SOC GUI....

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Depending on how/where you want to put the value you could do something like below.

This yields a rule that looks like this:

[root@so-managersearch logstash]# grep 2026889 /opt/so/rules/nids/suri/all.rules
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; content: !"cc.cloudad.icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2022_11_21;)

[Zer0-cyber-web]

I see, thank you! So if I understood correctly - it takes any content from rule (which is described in Regex field), and replaces it with string that I put in Value field, right?

[Zer0-cyber-web]

Strange, in my case rule modification is not leading to all.rules changes...
[root@secon ~]# grep 2026889 /opt/so/rules/nids/suri/all.rules alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, confidence High, signature_severity Informational, updated_at 2022_11_21;)

Will it take some time to deploy?

[Zer0-cyber-web]

UPD: Yes, indeed - it takes some time to update rules modification. Thank you!