Re: Pulledpork and changing rules in modifysid.conf

[Y M <snort () outlook com>]

Hi Robert,

Changing a rules action from "alert" to "drop" is better handled in dropsid.conf rather than "modifysid.conf". That 
said, to change all rules from "alert tcp" to "drop tcp", you can do something like, In dropsid.conf, add the following 
line:

pcre:alert tcp

Not much luck with adding the string "react:msg;" though. I attempted with pcre in modifysid.conf but no good. May be 
someone else can chime in.

YM
Date: Thu, 28 May 2015 13:50:49 +0200
From: wrkilu () wp pl
To: snort-users () lists sourceforge net
Subject: [Snort-users] Pulledpork and changing rules in modifysid.conf


Hi,

We need to change rules but I don't know how to do this by this file because I have difficult case.

 

The goal is: changing in every rule with "alert tcp" to "drop tcp" AND add string "react: msg; "

 

Thanks,

Robert

 

 






------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!