modifysid.conf does not consider sid list

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)

GNU General Public License v2.0

419 stars 133 forks source link

Closed prof-ninjason closed 6 years ago

prof-ninjason commented 6 years ago

Cannot use a list of sids -- it will only modify the last sid in the list. I have to use single lines to get the expected results.

I have tried:

1:2009205,1:2009206,1:2009207,1:2009208 "1024:" "!3391,1024:" and 1:2009205-1:2009208 "1024:" "!3391,1024:"

Only works this way:

1:2009205 "1024:" "!3391,1024:" 1:2009206 "1024:" "!3391,1024:" 1:2009207 "1024:" "!3391,1024:" 1:2009208 "1024:" "!3391,1024:"

shirkdog commented 6 years ago

Think that is functioning as designed...

prof-ninjason commented 6 years ago

Ah. I assumed the list format was either comma or dash. Thanks