blob: 70bfb3e2d5fd65fc39cce2238d4eaccdcfa4c3bd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# suricata-update - modify.conf
# Format: <sid> "<from>" "<to>"
# Example changing the seconds for rule 2019401 to 3600.
# 2019401 "seconds \d+" "seconds 3600"
#
# Example converting all alert rules to drop:
# re:. ^alert drop
#
# Example converting all drop rules with noalert back to alert:
# re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2"
# Change all trojan-activity rules to drop. Its better to setup a
# drop.conf for this, but this does show the use of back references.
# re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
# For compatibility, most Oinkmaster modifysid lines should work as
# well.
# modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
# Add metadata.
#metadata-add re:"SURICATA STREAM" "evebox-action" "archive"
#metadata-add 2010646 "evebox-action" "archive"
|