[Oisf-users] suricata update modify
Jason Ish
ish at unx.ca
Thu Oct 18 17:37:49 UTC 2018
Hi Slava,
On Thu, Oct 18, 2018 at 5:58 AM Slava Bendersky <volga629 at networklab.ca>
wrote:
> Hello Everyone,
> Can't figure out how to insert nfq connection mark in drop rules
> in /etc/suricata/modify.conf.
> First one works, second incorrect.
> Any help thank you.
>
> re:. ^alert drop
> re:. ";)$" "; nfq_set_mark:0x2\/0xffffffff;)"
>
In your second line you'll have to escape the ')' as its not part of a
regular expression grouping, so this will have it looking like:
re:. ";\)$" "; nfq_set_mark:0x2\/0xffffffff;)"
Also, in your "to" expression you should not be escaping the "/", this will
result in a rule that won't be loaded by Suricata. So what I think you are
looking for is:
re:. ";\)$" "; nfq_set_mark:0x2/0xffffffff;)"
Hope that helps,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181018/a898d243/attachment.html>
More information about the Oisf-users
mailing list