Home page logo

snort logo Snort mailing list archives

add flag to drop rules
From: Yossi Nachum <nachum234 () gmail com>
Date: Wed, 5 Jun 2013 17:54:23 +0300


I am using snort in inline mode with NFQ.

I configured all my drop rules using pulledpork with the following regex in
"pcre:balanced-ips\ drop"

Now I want to add a prefix to the messages of these rules so I will know
how to search if a drop rule was triggered.

I try to add the following to modifysid.conf:
pcre:balanced-ips\ drop "\(msg:"" "\(msg:"balanced-ips ";

but it didn't do anything.

How can I add a prefix or some flag to these rules so I can search for them
in syslog?

How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • add flag to drop rules Yossi Nachum (Jun 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]