Project

General

Profile

Bug #10185

Suricata 'Alert Log View Filter' undesirably port matches substrings instead of exact port

Added by Sean McBride about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
01/14/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

See attached screenshot. When I put a port number, like "25" in the 'destination port' field, I would expect to get matches to that exact port. But instead it's also matching substrings, like port "12539", "2570", etc.

I don't really care about random ports that are closed anyway, but I do care to see what's happening on my mail port. So even if this is deliberate, it would be nice to have an exact port matching option. I guessed possible syntaxes like "25" or +25 but they didn't work.

SubstringPortMatch.png (105 KB) SubstringPortMatch.png Sean McBride, 01/14/2020 04:18 PM

History

#1 Updated by Jim Pingle about 1 month ago

  • Category set to Suricata

#2 Updated by Bill Meeks about 1 month ago

The alerts log filtering tool uses Perl regular expression syntax. If you want to find say just Port 25, then try this in the PORT box: ^25$

That should only return log entries with a PORT exactly matching "25". The regex syntax means "find a string starting and ending with 25". That should result in the filtering out of other substring matches.

I can look into offering an exact matching option on that tab in a future update.

#3 Updated by Sean McBride about 1 month ago

Or even just adding some text under the input fields to specify that it takes regexes.

#4 Updated by Bill Meeks about 1 month ago

Sean McBride wrote:

Or even just adding some text under the input fields to specify that it takes regexes.

Yeah, can definitely do that in a future release.

Also available in: Atom PDF