[Snort-users] Oinkmaster and 1394

Markus Lude markus.lude at ...348...
Sun Aug 10 16:33:14 EDT 2008


On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:
> So I know there?s a way to do this...I?ve seen it posted here before but for
> the life of me I can?t find the posting.
> 
> I get a lot of FP?s with sid 1394 (shellcode) on port 25.  What?s the way to
> use oinkmaster to mofidysid to change the second occurrence of ?any? to
> ?!25??  Thanks all!

For some examples of modifysid you could take a look at your oinkmaster
config file. In your special case the following may help:

modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25"

Regards,
Markus





More information about the Snort-users mailing list