Modifysid, ONLY for gid 1?
59 views
Skip to first unread message
DigiAngel
Dec 19, 2013, 8:28:44 AM12/19/13
to pulledpo...@googlegroups.com
Topic says it...I'd like to modify:
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
to
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
Will PP do that or am I out of luck? Thank you.
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
to
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)
Will PP do that or am I out of luck? Thank you.
Jeremy Hoel
Dec 19, 2013, 12:33:08 PM12/19/13
to pulledpo...@googlegroups.com
Ohhhh.. GID 3, no I do'nt think so. From the modifysid.conf file.
# Note that this will only work with GID:1 rules, simply because modifying
# GID:3 stub rules would not actually affect the rule, thusly it will remain
# non modifyable!
The action for these rules happens in the binary, this rule is just
information about the binary version (as i understand it) so changing
it wouldn't really effect that it happens or not.
> --
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users.
> For more options, visit https://groups.google.com/groups/opt_out.
# Note that this will only work with GID:1 rules, simply because modifying
# GID:3 stub rules would not actually affect the rule, thusly it will remain
# non modifyable!
The action for these rules happens in the binary, this rule is just
information about the binary version (as i understand it) so changing
it wouldn't really effect that it happens or not.
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users.
> For more options, visit https://groups.google.com/groups/opt_out.
JJ Cummings
Dec 19, 2013, 1:48:41 PM12/19/13
to pulledpo...@googlegroups.com, pulledpo...@googlegroups.com
That's partially true... Some options can be modified, I'll be updating the code soon..
Sent from the iRoad
Sent from the iRoad
James Lay
Dec 20, 2013, 8:27:02 PM12/20/13
to pulledpo...@googlegroups.com
Thanks for the responses on this.
James
James
Reply all
Reply to author
Forward
0 new messages