Snort mailing list archives
Re: Pulledpork and changing rules in modifysid.conf
From: Shirkdog <shirkdog () gmail com>
Date: Fri, 29 May 2015 08:23:42 -0400
You just need to use * instead of the sid, and modifysid.conf will modify all signatures. --- Michael Shirk On Thu, May 28, 2015 at 8:49 AM, Y M <snort () outlook com> wrote:
Hi Robert, Changing a rules action from "alert" to "drop" is better handled in dropsid.conf rather than "modifysid.conf". That said, to change all rules from "alert tcp" to "drop tcp", you can do something like, In dropsid.conf, add the following line: pcre:alert tcp Not much luck with adding the string "react:msg;" though. I attempted with pcre in modifysid.conf but no good. May be someone else can chime in. YM ________________________________ Date: Thu, 28 May 2015 13:50:49 +0200 From: wrkilu () wp pl To: snort-users () lists sourceforge net Subject: [Snort-users] Pulledpork and changing rules in modifysid.conf Hi, We need to change rules but I don't know how to do this by this file because I have difficult case. The goal is: changing in every rule with "alert tcp" to "drop tcp" AND add string "react: msg; " Thanks, Robert ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork and changing rules in modifysid.conf Robert Lasota (May 28)
- Re: Pulledpork and changing rules in modifysid.conf Y M (May 28)
- Re: Pulledpork and changing rules in modifysid.conf Shirkdog (May 29)
- Re: Pulledpork and changing rules in modifysid.conf Y M (May 28)