From 47f4044e634fa85e105de2ab5efc6d286eb371b2 Mon Sep 17 00:00:00 2001
From: aiooss-anssi <alexandre.iooss@ssi.gouv.fr>
Date: Fri, 9 Aug 2024 10:30:55 +0200
Subject: [PATCH] suricata/rules: reduce saar flag false positives

---
 suricata/rules/suricata.rules | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/suricata/rules/suricata.rules b/suricata/rules/suricata.rules
index 80eee6f..93aa595 100644
--- a/suricata/rules/suricata.rules
+++ b/suricata/rules/suricata.rules
@@ -38,9 +38,9 @@ alert ip any any -> any any (msg: "A ICC flag was placed in our services (probab
 alert ip any any -> any any (msg: "A saarCTF flag was sent to client"; flow:to_client; content: "SAAR"; pcre: "/(SAAR\{[A-Za-z0-9-_]{32}\})/, flow:match"; distance: -4; metadata: tag FLAG OUT, color danger; sid: 51;)
 alert ip any any -> any any (msg: "A saarCTF flag was sent to client"; flow:to_client; file.data; content: "SAAR{"; pcre: "/(SAAR\{[A-Za-z0-9-_]{32}\})/, flow:match"; distance: -5; metadata: tag FLAG OUT, color danger; sid: 52;)
 alert ip any any -> any any (msg: "A saarCTF flag was sent to client (URL encoded)"; flow:to_client; content: "SAAR%7B"; pcre: "/(SAAR%7B[A-Za-z0-9-_]{32}%7D)/, flow:match"; distance: -7; metadata: tag FLAG OUT, color danger; sid: 53;)
-alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "U0FBUn"; metadata: tag FLAG OUT B64, color danger; sid: 54;)
-alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "NBQVJ7"; metadata: tag FLAG OUT B64, color danger; sid: 55;)
-alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "TQUFSe"; metadata: tag FLAG OUT B64, color danger; sid: 56;)
+alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "U0FBUnt"; metadata: tag FLAG OUT B64, color danger; sid: 54;)
+alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "NBQVJ7"; pcre: "/(NBQVJ7[A-Za-z\d]{43}9)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 55;)
+alert ip any any -> any any (msg: "A saarCTF flag was sent to client (base64)"; flow:to_client; content: "TQUFSe"; pcre: "/(TQUFSe[A-Za-z\d]{43}f)/, flow:match"; distance: -6; metadata: tag FLAG OUT B64, color danger; sid: 56;)
 alert ip any any -> any any (msg: "A saarCTF flag was placed in our services (probably by checkers)"; flow:to_server; content: "SAAR"; pcre: "/(SAAR\{[A-Za-z0-9-_]{32}\})/, flow:match"; distance: -4; metadata: tag FLAG IN, color success; sid: 57;)
 alert ip any any -> any any (msg: "A saarCTF flag was placed in our services (probably by checkers, URL encoded)"; flow:to_server; content: "SAAR%7B"; pcre: "/(SAAR%7B[A-Za-z0-9-_]{32}%7D)/, flow:match"; distance: -7; metadata: tag FLAG IN, color success; sid: 58;)