[Snort-users] Oinkmaster and 1394
markus.lude at ...348...
Sun Aug 10 16:33:14 EDT 2008
On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:
> So I know there?s a way to do this...I?ve seen it posted here before but for
> the life of me I can?t find the posting.
> I get a lot of FP?s with sid 1394 (shellcode) on port 25. What?s the way to
> use oinkmaster to mofidysid to change the second occurrence of ?any? to
> ?!25?? Thanks all!
For some examples of modifysid you could take a look at your oinkmaster
config file. In your special case the following may help:
modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25"
More information about the Snort-users