# example enablesid.conf v3.1 # SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file # will be set back to their ORIGINAL state as it was read when they were # originally extracted from the source tarball! # Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 # Example of modifying state for rule ranges # 1:220-1:3264,3:13010-3:13013 # Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could! # Example of modifying state for MS and cve rules, note the use of the : # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, # and all MS00 and all cve 2000 related sids! These support regular expression # matching only after you have specified what you are looking for, i.e. # MS00- or cve:, the first section CANNOT contain a regular # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) # for this. # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ # Example of using the pcre: keyword to modify rulestate. the pcre keyword # allows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. For more information # about regular expression syntax: http://www.regular-expressions.info/ # The following example modifies state for all MS07 through MS10 # pcre:MS(0[7-9]|10)-\d+ # Example of modifying state for specific categories entirely (see README.CATEGORIES) # VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp # Any of the above values can be on a single line or multiple lines, when # on a single line they simply need to be separated by a , # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 # The modifications in this file are for sample/example purposes only and # should not actively be used, you need to modify this file to fit your # environment. PCRE wildcard "."