Bug #10185
closed
Suricata 'Alert Log View Filter' undesirably port matches substrings instead of exact port
0%
Description
See attached screenshot. When I put a port number, like "25" in the 'destination port' field, I would expect to get matches to that exact port. But instead it's also matching substrings, like port "12539", "2570", etc.
I don't really care about random ports that are closed anyway, but I do care to see what's happening on my mail port. So even if this is deliberate, it would be nice to have an exact port matching option. I guessed possible syntaxes like "25" or +25 but they didn't work.
Files
Updated by 
Updated by Bill Meeks over 4 years ago
The alerts log filtering tool uses Perl regular expression syntax. If you want to find say just Port 25, then try this in the PORT box: ^25$
That should only return log entries with a PORT exactly matching "25". The regex syntax means "find a string starting and ending with 25". That should result in the filtering out of other substring matches.
I can look into offering an exact matching option on that tab in a future update.
Updated by Sean McBride over 4 years ago
Or even just adding some text under the input fields to specify that it takes regexes.
Updated by Bill Meeks over 4 years ago
Sean McBride wrote:
Or even just adding some text under the input fields to specify that it takes regexes.
Yeah, can definitely do that in a future release.
Updated by Bill Meeks about 4 years ago
The requested feature has been added to the Filter Panel on the ALERTS tab of the latest Suricata GUI package releases at https://github.com/pfsense/FreeBSD-ports/pull/786 and https://github.com/pfsense/FreeBSD-ports/pull/788.
This issue can be closed.