Snort mailing list archives
Re: I would like to use PulledPork to add info into the msg: field
From: Avery Rozar <Avery.Rozar () i-techsupport com>
Date: Thu, 22 Aug 2013 17:48:24 +0000
Ok, ill give it a shot. Thanks for your help. From: JJC <cummingsj () gmail com<mailto:cummingsj () gmail com>> Date: Thursday, August 22, 2013 12:35 PM To: Avery Rozar <Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com>> Cc: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] I would like to use PulledPork to add info into the msg: field I would say adjust your run order such that modify is last.. if only drop rules are listed then you would set the state first and modify the active rules at the end by simply adding "\(msg:"" "\(msg:"DROP "; On Thu, Aug 22, 2013 at 9:20 AM, Avery Rozar <Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com>> wrote: Looks like that would only work using the sids right? I would like all 7K that care enabled to drop vi dropsid.conf to add "drop" in the msg: area. Something like this, (this did not work, either in modifysid, or dropsid) pcre:security-ips\ drop "\(msg:"" "\(msg:"DROP "; On 8/22/13 10:37 AM, "JJ Cummings" <cummingsj () gmail com<mailto:cummingsj () gmail com>> wrote:
modifysid Sent from the iRoad On Aug 22, 2013, at 4:26, Avery Rozar <Avery.Rozar () i-techsupport com<mailto:Avery.Rozar () i-techsupport com>> wrote:I'm using dropsid.conf to change security-ips rules to drop. Does anyone have pcre handy to also add information into the msg: field too? Like the word "drop", so when I run searches in the index server I can look for dropped actions. Thank you. ------------------------------------------------------------------------- ----- Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clkt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJ Cummings (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJC (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field waldo kitty (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Joel Esler (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field Avery Rozar (Aug 22)
- Re: I would like to use PulledPork to add info into the msg: field JJ Cummings (Aug 22)