[Snort-users] Pulledpork and changing rules in modifysid.conf

Y M snort at ...15979...
Thu May 28 08:49:36 EDT 2015


Hi Robert,

Changing a rules action from "alert" to "drop" is better handled in dropsid.conf rather than "modifysid.conf". That said, to change all rules from "alert tcp" to "drop tcp", you can do something like, In dropsid.conf, add the following line:

pcre:alert tcp

Not much luck with adding the string "react:msg;" though. I attempted with pcre in modifysid.conf but no good. May be someone else can chime in.

YM
Date: Thu, 28 May 2015 13:50:49 +0200
From: wrkilu at ...3879...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Pulledpork and changing rules in modifysid.conf


Hi,

We need to change rules but I don't know how to do this by this file because I have difficult case.

 

The goal is: changing in every rule with "alert tcp" to "drop tcp" AND add string "react: msg; "

 

Thanks,

Robert

 

 






------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150528/8043418a/attachment.html>


More information about the Snort-users mailing list