[Snort-users] PulledPork modifysid issue

Castle, Shane scastle at ...14946...
Fri Aug 24 13:25:21 EDT 2012

KTHX. Did that. Now issue 114. Added SIDs to disablesid.conf. Sigh.

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Friday, August 24, 2012 11:11
To: Castle, Shane
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] PulledPork modifysid issue

On Aug 24, 2012, at 12:53 PM, "Castle, Shane" <scastle at ...14946...> wrote:

> I am using the PulledPork distributed with Security Onion, but I have verified that there is no difference between this version and 0.6.1 in the modifysid area. My issue is that I can't get any modifysid.conf line that refers to an IP address to work. For example:
> 2402001 "\/24," ""
> Rewriting it without the "\", adding "\" before all the dots, or anything, results in the line being ignored by PP as far as I can tell. Turning $Verbose to 2 shows what sids are modified, and the sid I want modified is not listed. Changing the sid to "*" has no effect, either. (BTW, the modify_sid sub seems not to like prefixing "1:" to the sid.)
> I suspect the two regexes after the "while" in the modify_sid sub, but my examination of them yields no insights. My alternative is to disable the sids, and unless there is a quick fix that's what I'll have to do.


I'd suggest filling a bug here:


Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

More information about the Snort-users mailing list