Added the ability to modify rules based on regex instead of hardcoded SID

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)

GNU General Public License v2.0

417 stars 134 forks source link

Added the ability to modify rules based on regex instead of hardcoded SID #305

Closed scottsavarese closed 5 years ago

scottsavarese commented 6 years ago

My client has a use case where our rules vendor maintains groups of rules that are the same except for the IP addresses being matched. In our use case to use the existing modify function around sids, we'd have to add 600+ SID to the modifysid.conf file. Plus if the vendor ever added more rules in that group, we'd have to add those SID manually. This was undesirable. By using the regex, it becomes much more automatic and thus scalable for our needs.

shirkdog commented 5 years ago

Once I get this added manually, I will close the pull request, but this should be good.