Snort mailing list archives

Previous By Date Next
Previous By Thread Next

add flag to drop rules

From: Yossi Nachum <nachum234 () gmail com>
Date: Wed, 5 Jun 2013 17:54:23 +0300
Hi,

I am using snort in inline mode with NFQ.

I configured all my drop rules using pulledpork with the following regex in
dropsid.conf
"pcre:balanced-ips\ drop"

Now I want to add a prefix to the messages of these rules so I will know
how to search if a drop rule was triggered.

I try to add the following to modifysid.conf:
pcre:balanced-ips\ drop "\(msg:"" "\(msg:"balanced-ips ";

but it didn't do anything.

How can I add a prefix or some flag to these rules so I can search for them
in syslog?

Thanks,
Yossi

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: