Suricata » Suricata-Update

Full Output beyond just the error quoted above...

17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/update.yaml
17/3/2020 -- 10:11:20 - <Info> -- Using data-directory /var/lib/suricata.
17/3/2020 -- 10:11:20 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
17/3/2020 -- 10:11:20 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
17/3/2020 -- 10:11:20 - <Info> -- Found Suricata version 4.1.6 at /usr/bin/suricata.
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/disable.conf.
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/enable.conf.
17/3/2020 -- 10:11:20 - <Info> -- Loading /etc/suricata/modify.conf.
Traceback (most recent call last):
  File "/usr/bin/suricata-update", line 33, in <module>
    sys.exit(main.main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1515, in main
    sys.exit(_main())
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 1318, in _main
    modify_filters += load_filters(modify_conf_filename)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 451, in load_filters
    filter = ModifyRuleFilter.parse(line)
  File "/usr/bin/../lib/python2.7/site-packages/suricata/update/main.py", line 272, in parse
    raise Exception("Bad number of arguments.")
Exception: Bad number of arguments.

This is reporting an error while parsing your modify.conf, it not a very user friendly way (which we should address). For now, can you post your modify.conf as well?

Ah, thanks.
So it was having trouble with this line intended to backtrack rules using tls.cert_subject back to the 4.x format.

re:"tls.cert_subject" "tls_cert_subject" 

The syntax for "re" modifications in modify.conf could also be better documented. The only coverage currently seems to be...

# Change all trojan-activity rules to drop. Its better to setup a
# drop.conf for this, but this does show the use of back references.
#re:classtype:trojan-activity "(alert)(.*)" "drop\\2" 

So a modification requires 3 parameters:

match from to

So

re:"tls.cert_subject" "tls_cert_subject" 

re:tls\.cert_subject "tls\.cert_subject" "tls_cert_subject" 

There is some info here: https://suricata-update.readthedocs.io/en/latest/update.html#modifying-rules, but the configuration file could probably do with some more detail as well.