securityonion/salt/idstools/etc/modify.conf

{%- set modify_sids = salt['pillar.get']('idstools:sids:modify', {}) -%}
# idstools-rulecat - modify.conf

# Format: <sid> "<from>" "<to>"

# Example changing the seconds for rule 2019401 to 3600.
#2019401 "seconds \d+" "seconds 3600"
{%- if modify_sids != None %}
{%- for sid in modify_sids %}
{{ sid }}
{%- endfor %}
{%- endif %}