From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 26 Jun 2020 12:52:38 +0000 (+0530)
Subject: modify.conf: add more examples of usage
X-Git-Tag: 1.2.0rc2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d73cdf48a01e0620905bc0ea075a7368cf5477b9;p=thirdparty%2Fsuricata-update.git

modify.conf: add more examples of usage

Closes redmine ticket 3550.
---

diff --git a/suricata/update/configs/modify.conf b/suricata/update/configs/modify.conf
index e3f6d0f..5bd1455 100644
--- a/suricata/update/configs/modify.conf
+++ b/suricata/update/configs/modify.conf
@@ -3,12 +3,18 @@
 # Format: <sid> "<from>" "<to>"
 
 # Example changing the seconds for rule 2019401 to 3600.
-#2019401 "seconds \d+" "seconds 3600"
+# 2019401 "seconds \d+" "seconds 3600"
+#
+# Example converting all alert rules to drop:
+# re:. ^alert drop
+#
+# Example converting all drop rules with noalert back to alert:
+# re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2"
 
 # Change all trojan-activity rules to drop. Its better to setup a
 # drop.conf for this, but this does show the use of back references.
-#re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
+# re:classtype:trojan-activity "(alert)(.*)" "drop\\2"
 
 # For compatibility, most Oinkmaster modifysid lines should work as
 # well.
-#modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"
+# modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"