Snort mailing list archives
Re: I would like to use PulledPork to add info into the msg: field
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 22 Aug 2013 12:55:57 -0400
On 8/22/2013 11:20, Avery Rozar wrote:
Looks like that would only work using the sids right? I would like all 7K that care enabled to drop vi dropsid.conf to add "drop" in the msg: area. Something like this, (this did not work, either in modifysid, or dropsid) pcre:security-ips\ drop "\(msg:"" "\(msg:"DROP ";
i think that if the above were to work you would also need to escape the
internal quotes...
pcre:security-ips\ drop "\(msg:\"" "\(msg:\"DROP ";
but the above simply shoves drop in without bothering if drop is already in the
msg... what would happen on the third or fourth time that a rule is modified in
this manner? would the MSG in it be "DROP DROP DROP DROP foobie blarg"??
i think jj, as the author/maintainer of PP, is on the right track pointing to
modifysid because that is exactly what it is for... yes, it means having a
duplicate list of entries to deal with... this is no different than oinkmaster ;)
of course, instead of using dropsid, you could possibly perform everything with
modifysid... it may be more intricate and may possibly require more than one
entry for each step in modifysid but then you would have all parts in the one
file instead of spread out in two...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJ Cummings (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJC (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field waldo kitty (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Joel Esler (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJ Cummings (Aug 22)