Snort mailing list archives
Re: OT: change msg option in rules files with oinkmaster
From: Markus Lude <markus.lude () gmx de>
Date: Tue, 8 Jul 2008 19:46:04 +0200
On Tue, Jul 08, 2008 at 07:24:14PM +0200, carlopmart wrote:
Hi all, Hi all, I am trying to change flag on msg param from snort's rules files to put a specific flag. For example: msg: "ET ....", I need to change to msg: "[TEST ET] ...". I am trying to do this using modifysid option on oinkmaster.conf. I have tried this combinations: modifysid * "msg:"\" | "msg: "\[TEST]\ "
^^^ ^^ Here you escape the wrong '"' and the last escape should probably be for the ']'.
modifysid * "msg:" | "msg: "[TEST] " modifysid * "msg: \"" | "msg: \"[TEST] "
Does this work for you (untested): modifysid * "msg: ?\"ET " | "msg:\"\[TEST ET\] " Regards, Markus ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OT: change msg option in rules files with oinkmaster carlopmart (Jul 08)
- Re: OT: change msg option in rules files with oinkmaster Markus Lude (Jul 08)