Re: I would like to use PulledPork to add info into the msg: field

[Avery Rozar <Avery.Rozar () i-techsupport com>]

Your right, "DROP, DROP, DROP, DROP" would just plain suck...

On 8/22/13 12:55 PM, "waldo kitty" <wkitty42 () windstream net> wrote:

> On 8/22/2013 11:20, Avery Rozar wrote:
> > Looks like that would only work using the sids right? I would like all
> > 7K
> > that care enabled to drop vi dropsid.conf to add "drop" in the msg:
> > area.
> >
> > Something like this, (this did not work, either in modifysid, or
> > dropsid)
> >
> > pcre:security-ips\ drop "\(msg:"" "\(msg:"DROP ";
>
> i think that if the above were to work you would also need to escape the
> internal quotes...
>
>  pcre:security-ips\ drop "\(msg:\"" "\(msg:\"DROP ";
>
> but the above simply shoves drop in without bothering if drop is already
> in the 
> msg... what would happen on the third or fourth time that a rule is
> modified in 
> this manner? would the MSG in it be "DROP DROP DROP DROP foobie blarg"??
>
> i think jj, as the author/maintainer of PP, is on the right track
> pointing to 
> modifysid because that is exactly what it is for... yes, it means having
> a 
> duplicate list of entries to deal with... this is no different than
> oinkmaster ;)
>
> of course, instead of using dropsid, you could possibly perform
> everything with 
> modifysid... it may be more intricate and may possibly require more than
> one 
> entry for each step in modifysid but then you would have all parts in the
> one 
> file instead of spread out in two...
>
> -- 
> NOTE: No off-list assistance is given without prior approval.
>       Please keep mailing list traffic on the list unless
>       private contact is specifically requested and granted.
>
> --------------------------------------------------------------------------
> ----
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktr
> k
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!