# example modifysid.conf v1.1 2/18/2011 Alan Ptak
#
# Change history:
# -----------------------------------------------
# v1.1 2/18/2011  Alan Ptak
# - Inserted comments around example elements that would otherwise modify rules
#
# v1.0 7/25/2010 JJC
# - original release
# -----------------------------------------------
#
# formatting is simple
# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
#
# Note that this will only work with GID:1 rules, simply because modifying
# GID:3 stub rules would not actually affect the rule, thusly it will remain
# non modifyable!
#
# If you are attempting to change rulestate (enable,drop,disable) from here
# then you are doing it wrong, it is much more efficient to do so from within 
# the respective rulestate modification configuration files, please see doc/
# and the README file!

# the following applies to sid 10010 only and represents what would normally
# be s/to_client/from_server/
# 10010 "to_client" "from_server"

# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
# rules
# "HTTP_PORTS" "HTTPS_PORTS"

# multiple sids can be specified as noted below:
# 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET"

# example of modification of a rule to make snortsam BLOCK the rule:
# note that one rule changes from alert to BLOCK and that the other 
# modifies the msg:" field value so that when the alert occurs it is noted
# that it is a SNORTSAM block rule!
# 17803 "\(msg:"" "\(msg:"SNORTSAM ";
# 17803 "^\s*alert" "BLOCK";