Snort mailing list archives
Re: Rule update question
From: Andreas Östling <andreaso () it su se>
Date: Tue, 15 Jun 2004 11:37:04 +0200
On Monday 14 June 2004 20:42, Nick Duda wrote:
Silly question, I just drew a blank as I once did this.... How can I set oinkmaster when coming to a rule that was modified manually to skip it, but I don't want it disabled. Say I modified the rule from : Example: Alert icmp $EXTERNAL_NET any -> $HOME_NET To Alert icmp $EXTERNAL_NET any -> ![x.x.x.x}
You can't really do that (for the reasons recently discussed here), but you could do a modifysid for it: modifysid <sid> "-> \$HOME_NET" | "-> ![foo]" /Andreas ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule update question Nick Duda (Jun 14)
- Re: Rule update question Andreas Östling (Jun 15)
- Re: Rule update question Andreas Östling (Jun 23)
- Re: Rule update question Andreas Östling (Jun 15)