modify.conf: add more examples of usage

author Shivani Bhardwaj <shivanib134@gmail.com>

Fri, 26 Jun 2020 12:52:38 +0000 (18:22 +0530)

committer Shivani Bhardwaj <shivanib134@gmail.com>

Thu, 3 Sep 2020 15:30:17 +0000 (21:00 +0530)
author Shivani Bhardwaj <shivanib134@gmail.com>
Fri, 26 Jun 2020 12:52:38 +0000 (18:22 +0530)
committer Shivani Bhardwaj <shivanib134@gmail.com>
Thu, 3 Sep 2020 15:30:17 +0000 (21:00 +0530)
diff --git a/suricata/update/configs/modify.conf b/suricata/update/configs/modify.conf

index e3f6d0f0e5b7e186c6b618ee28b58e64a76a21c2..5bd145545898d75e3702342187004ab5197cfd69 100644 (file)
--- a/suricata/update/configs/modify.conf
+++ b/suricata/update/configs/modify.conf
@@ -3,12 +3,18 @@
  # Format: <sid> "<from>" "<to>"
  
  # Example changing the seconds for rule 2019401 to 3600.
-#2019401 "seconds \d+" "seconds 3600"
+# 2019401 "seconds \d+" "seconds 3600"
+#
+# Example converting all alert rules to drop:
+# re:. ^alert drop
+#
+# Example converting all drop rules with noalert back to alert:
+# re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2"
  
  # Change all trojan-activity rules to drop. Its better to setup a
  # drop.conf for this, but this does show the use of back references.
-#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
+# re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
  
  # For compatibility, most Oinkmaster modifysid lines should work as
  # well.
-#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
+# modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
author	Shivani Bhardwaj <shivanib134@gmail.com>
	Fri, 26 Jun 2020 12:52:38 +0000 (18:22 +0530)
committer	Shivani Bhardwaj <shivanib134@gmail.com>
	Thu, 3 Sep 2020 15:30:17 +0000 (21:00 +0530)