Snort mailing list archives
add flag to drop rules
From: Yossi Nachum <nachum234 () gmail com>
Date: Wed, 5 Jun 2013 17:54:23 +0300
Hi, I am using snort in inline mode with NFQ. I configured all my drop rules using pulledpork with the following regex in dropsid.conf "pcre:balanced-ips\ drop" Now I want to add a prefix to the messages of these rules so I will know how to search if a drop rule was triggered. I try to add the following to modifysid.conf: pcre:balanced-ips\ drop "\(msg:"" "\(msg:"balanced-ips "; but it didn't do anything. How can I add a prefix or some flag to these rules so I can search for them in syslog? Thanks, Yossi
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- add flag to drop rules Yossi Nachum (Jun 05)