Allow modifysid code to use regex substitutions like oinkmaster does

[GoogleCodeExporter]

What steps will reproduce the problem?
1. A line in modifysid.conf like:

1:469 "(.*msg:\s*\")(.*)" "${1}BLOCK: ${2}"

performs literal instead of regex substitution.

2.
3.

What is the expected output? What do you see instead?
It would be great if regex constructs could be used to insert the word BLOCK: 
at the beginning of the msg: stanza in the rule.

What version of the product are you using? On what operating system?
0.5.0 on Centos-5-5

Please provide any additional information below.

Original issue reported on code.google.com by CunningP...@gmail.com on 27 Oct 2010 at 10:08

[GoogleCodeExporter]

Original comment by Cummin...@gmail.com on 29 Oct 2010 at 11:47

• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

Original comment by Cummin...@gmail.com on 29 Oct 2010 at 11:48

[GoogleCodeExporter]

Ok, after a thorough review, you are making this more complex than it needs to 
be..

IMHO the backref capability of oinkmaster is not needed, it's a waste of 
computation and memory.

using a regular expression search and replace you can achieve what you want.. 
here is a snortsam example, and I will add this to the modifysid.conf as an 
example also

# example of modification of a rule to make snortsam BLOCK the rule:
# note that one rule changes from alert to BLOCK and that the other 
# modifies the msg:" field value so that when the alert occurs it is noted
# that it is a SNORTSAM block rule!
17803 "\(msg:"" "\(msg:"SNORTSAM ";
17803 "^\s*alert" "BLOCK";

$ grep 'sid:17803' /home/jj/snort.rules 
BLOCK tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any \(msg:"SNORTSAM .....

Original comment by Cummin...@gmail.com on 10 Nov 2010 at 5:51

• Changed state: WontFix