[Snort-users] add flag to drop rules

Yossi Nachum nachum234 at ...11827...
Wed Jun 5 10:54:23 EDT 2013


I am using snort in inline mode with NFQ.

I configured all my drop rules using pulledpork with the following regex in
"pcre:balanced-ips\ drop"

Now I want to add a prefix to the messages of these rules so I will know
how to search if a drop rule was triggered.

I try to add the following to modifysid.conf:
pcre:balanced-ips\ drop "\(msg:"" "\(msg:"balanced-ips ";

but it didn't do anything.

How can I add a prefix or some flag to these rules so I can search for them
in syslog?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130605/dbf0a3cd/attachment.html>

More information about the Snort-users mailing list