Snort mailing list archives
Re: I would like to use PulledPork to add info into the msg: field
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 22 Aug 2013 12:55:57 -0400
On 8/22/2013 11:20, Avery Rozar wrote:
Looks like that would only work using the sids right? I would like all 7K that care enabled to drop vi dropsid.conf to add "drop" in the msg: area. Something like this, (this did not work, either in modifysid, or dropsid) pcre:security-ips\ drop "\(msg:"" "\(msg:"DROP ";
i think that if the above were to work you would also need to escape the internal quotes... pcre:security-ips\ drop "\(msg:\"" "\(msg:\"DROP "; but the above simply shoves drop in without bothering if drop is already in the msg... what would happen on the third or fourth time that a rule is modified in this manner? would the MSG in it be "DROP DROP DROP DROP foobie blarg"?? i think jj, as the author/maintainer of PP, is on the right track pointing to modifysid because that is exactly what it is for... yes, it means having a duplicate list of entries to deal with... this is no different than oinkmaster ;) of course, instead of using dropsid, you could possibly perform everything with modifysid... it may be more intricate and may possibly require more than one entry for each step in modifysid but then you would have all parts in the one file instead of spread out in two... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJ Cummings (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJC (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field waldo kitty (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Joel Esler (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJ Cummings (Aug 22)