[Snort-users] Pulledpork and changing rules in modifysid.conf

Shirkdog shirkdog at ...11827...
Fri May 29 08:23:42 EDT 2015


You just need to use * instead of the sid, and modifysid.conf will
modify all signatures.

---
Michael Shirk


On Thu, May 28, 2015 at 8:49 AM, Y M <snort at ...15979...> wrote:
> Hi Robert,
>
> Changing a rules action from "alert" to "drop" is better handled in
> dropsid.conf rather than "modifysid.conf". That said, to change all rules
> from "alert tcp" to "drop tcp", you can do something like, In dropsid.conf,
> add the following line:
>
> pcre:alert tcp
>
> Not much luck with adding the string "react:msg;" though. I attempted with
> pcre in modifysid.conf but no good. May be someone else can chime in.
>
> YM
> ________________________________
> Date: Thu, 28 May 2015 13:50:49 +0200
> From: wrkilu at ...3879...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Pulledpork and changing rules in modifysid.conf
>
>
> Hi,
>
> We need to change rules but I don't know how to do this by this file because
> I have difficult case.
>
> The goal is: changing in every rule with "alert tcp" to "drop tcp" AND add
> string "react: msg; "
>
> Thanks,
> Robert
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options or
> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
> visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list