# example enablesid.conf # Example of modifying state for individual rules # 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 # Example of modifying state for rule ranges # 1:220-1:3264,3:13010-3:13013 # Comments are allowed in this file, and can also be on the same line # As the modify state syntax, as long as it is a trailing comment # 1:1011 # I Disabled this rule because I could! # Example of modifying state for MS and cve rules, note the use of the : # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, # and all MS00 and all cve 2000 related sids! These support regular expression # matching only after you have specified what you are looking for, i.e. # MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular # expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) # for this. # MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ # Example of using the pcre: keyword to modify rulestate. the pcre keyword # allows for full use of regular expression syntax, you do not need to designate # with / and all pcre searches are treated as case insensitive. For more information # about regular expression syntax: http://www.regular-expressions.info/ # The following example modifies state for all MS07 through MS10 # pcre:MS(0[7-9]|10)-\d+ # pcre:"Joomla" # Example of modifying state for specific categories entirely. # "snort_" limits to Snort VRT rules, "emerging-" limits to # Emerging Threats Open rules, "etpro-" limits to ET-PRO rules. # "shellcode" with no prefix would match in any vendor set. # snort_web-iis,emerging-shellcode,etpro-imap,shellcode # Any of the above values can be on a single line or multiple lines, when # on a single line they simply need to be separated by a , # 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233