[Emerging-Sigs] Those using Oinkmaster - useful modifysid rules

JJC cummingsj at gmail.com
Tue Oct 19 22:01:08 EDT 2010


lol, indeed KISS.. as to the multiple rules... I moved away from that
to further simplify (your preferred method ;) )  the snort config..
I'm of course always open to suggestion, so if you have a good
use-case..

On Tue, Oct 19, 2010 at 6:17 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/19/2010 13:11, JJC wrote:
>> actually, disablesid,enablesid,modifysid,dropsid (in PP anyway) allows
>> for the following usage:
>>
>> regex example to disable/enable/drop (based on the file and directive
>> you specify) all MS07 through MS10 rules
>> pcre:MS(0[7-9]|10)-\d+
>
> interesting! TBH, i've never tried regex stuff with disablesid... maybe the KISS
> principle lives too deeply in me?? ;)
>
> now if pulledpork has an option to /not/ merge all rules into one rules set
> file, that may make a difference for my/our configuration(s)...
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list