mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-25 10:23:20 +01:00
41 lines
1.5 KiB
Plaintext
41 lines
1.5 KiB
Plaintext
# example modifysid.conf v1.1 2/18/2011 Alan Ptak
|
|
#
|
|
# Change history:
|
|
# -----------------------------------------------
|
|
# v1.1 2/18/2011 Alan Ptak
|
|
# - Inserted comments around example elements that would otherwise modify rules
|
|
#
|
|
# v1.0 7/25/2010 JJC
|
|
# - original release
|
|
# -----------------------------------------------
|
|
#
|
|
# formatting is simple
|
|
# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
|
|
#
|
|
# Note that this will only work with GID:1 rules, simply because modifying
|
|
# GID:3 stub rules would not actually affect the rule, thusly it will remain
|
|
# non modifyable!
|
|
#
|
|
# If you are attempting to change rulestate (enable,drop,disable) from here
|
|
# then you are doing it wrong, it is much more efficient to do so from within
|
|
# the respective rulestate modification configuration files, please see doc/
|
|
# and the README file!
|
|
|
|
# the following applies to sid 10010 only and represents what would normally
|
|
# be s/to_client/from_server/
|
|
# 10010 "to_client" "from_server"
|
|
|
|
# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
|
|
# rules
|
|
# "HTTP_PORTS" "HTTPS_PORTS"
|
|
|
|
# multiple sids can be specified as noted below:
|
|
# 302,429,1821 "\$EXTERNAL_NET" "$HOME_NET"
|
|
|
|
# example of modification of a rule to make snortsam BLOCK the rule:
|
|
# note that one rule changes from alert to BLOCK and that the other
|
|
# modifies the msg:" field value so that when the alert occurs it is noted
|
|
# that it is a SNORTSAM block rule!
|
|
# 17803 "\(msg:"" "\(msg:"SNORTSAM ";
|
|
# 17803 "^\s*alert" "BLOCK";
|