Re: Help needed to modify drop rules to reject rules with pulledpork modifysid.conf

[Y M <snort () outlook com>]

From: alexcklam () gmail com
Date: Tue, 9 Sep 2014 23:11:27 -0700
To: snort-users () lists sourceforge net
Subject: [Snort-users] Help needed to modify drop rules to reject rules with    pulledpork modifysid.conf

Hi,
I run Snort in inline mode and I have setup drop rules using dropsid.conf.Now, how can I turn these dropsid.conf rules 
from "drop" to "reject”?I tried this line in modifysid.conf 
* "^\s*drop" “reject"
but it did not work even when my pulledpork.conf already has this line:-
state_order = enable,drop,modify,disable
# I do not believe that modify is an allowed value for state_order. You probably have already read the comments in 
pulledpork.conf : "# the valid values are disable, drop, and enable.", and hence the reason it may be not running as 
you are expecting.
# In the changes document, there is this: "Bug #82 - Modified run order to force modifysid to run before all other sid 
state modification routines".  So,  in your modifysid.conf you are changing from "drop" to "reject", however,  since 
modifysid is run first, then there will be no changes since the the rules tarball does not ship with "drop" state. In 
other words, PulledPork does not find anything to change.

Here are extracts from my pulledpork run log:
Modifying Sids....      Modifying ALL SIDS from:^\s*drop to:reject      Done!Processing 
/root/pulledpork-0.7.0/etc/enablesid.conf....   Enabled 1:2005283       Enabled 1:2010514
<snip>
        Will drop 124:8 Will drop 131:3 Modified 12783 rules    DoneProcessing 
/root/pulledpork-0.7.0/etc/modifysid.conf....    Modified 0 rules        DoneProcessing 
/root/pulledpork-0.7.0/etc/disablesid.conf....
<snip>
Any ideas how I can turn dropsid.conf-enabled rules from “drop” to “reject”??
# An idea would be to create a backup of your disablesid.conf, and then start with a fresh/empty disablesid.conf, then 
in your modifysid.conf just modify "alert" to "reject".
Thanksalex
#YM


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!