[Snort-users] PulledPork modifysid issue
scastle at ...14946...
Fri Aug 24 13:25:21 EDT 2012
KTHX. Did that. Now issue 114. Added SIDs to disablesid.conf. Sigh.
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
From: Joel Esler [mailto:jesler at ...1935...]
Sent: Friday, August 24, 2012 11:11
To: Castle, Shane
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] PulledPork modifysid issue
On Aug 24, 2012, at 12:53 PM, "Castle, Shane" <scastle at ...14946...> wrote:
> I am using the PulledPork distributed with Security Onion, but I have verified that there is no difference between this version and 0.6.1 in the modifysid area. My issue is that I can't get any modifysid.conf line that refers to an IP address to work. For example:
> 2402001 "220.127.116.11\/24," ""
> Rewriting it without the "\", adding "\" before all the dots, or anything, results in the line being ignored by PP as far as I can tell. Turning $Verbose to 2 shows what sids are modified, and the sid I want modified is not listed. Changing the sid to "*" has no effect, either. (BTW, the modify_sid sub seems not to like prefixing "1:" to the sid.)
> I suspect the two regexes after the "while" in the modify_sid sub, but my examination of them yields no insights. My alternative is to disable the sids, and unless there is a quick fix that's what I'll have to do.
I'd suggest filling a bug here:
Senior Research Engineer, VRT
OpenSource Community Manager
More information about the Snort-users