Home page logo
/

snort logo Snort mailing list archives

add flag to drop rules
From: Yossi Nachum <nachum234 () gmail com>
Date: Wed, 5 Jun 2013 17:54:23 +0300

Hi,

I am using snort in inline mode with NFQ.

I configured all my drop rules using pulledpork with the following regex in
dropsid.conf
"pcre:balanced-ips\ drop"

Now I want to add a prefix to the messages of these rules so I will know
how to search if a drop rule was triggered.

I try to add the following to modifysid.conf:
pcre:balanced-ips\ drop "\(msg:"" "\(msg:"balanced-ips ";

but it didn't do anything.

How can I add a prefix or some flag to these rules so I can search for them
in syslog?

Thanks,
Yossi
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • add flag to drop rules Yossi Nachum (Jun 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]