My client has a use case where our rules vendor maintains groups of rules that are the same except for the IP addresses being matched. In our use case to use the existing modify function around sids, we'd have to add 600+ SID to the modifysid.conf file. Plus if the vendor ever added more rules in that group, we'd have to add those SID manually. This was undesirable. By using the regex, it becomes much more automatic and thus scalable for our needs.
My client has a use case where our rules vendor maintains groups of rules that are the same except for the IP addresses being matched. In our use case to use the existing modify function around sids, we'd have to add 600+ SID to the modifysid.conf file. Plus if the vendor ever added more rules in that group, we'd have to add those SID manually. This was undesirable. By using the regex, it becomes much more automatic and thus scalable for our needs.