[Snort-users] Best way to change and apply multiple rules for a certain criteria
jcrochon at ...6828...
Fri Sep 12 11:35:58 EDT 2014
I'm looking for a way to change all my rules that have "PCAnywhere" going outside, to only detect going inside.
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_server,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)
I would like to change the important parts to alert on attempts to my $HOME_NET only:
Direction change: $HOME_NET 5631:5632 <- $EXTERNAL_NET
Flow change: flow:to_client
Also, should I disable this rule, and recreate it in local.rules, or just editing would suffice?
I forgot if the order of included rules matter. Would I need to put edited rules at the top?
Example, change this:
Are the rules overwritten, so that all custom rules should be last at the bottom of snort.conf?
Thank you and Best Regards,
Jason C. Rochon
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users