[Snort-users] Oinkmaster and 1394
jlay at ...13475...
Sun Aug 10 21:30:07 EDT 2008
On 8/10/08 2:33 PM, "Markus Lude" <markus.lude at ...348...> wrote:
> On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:
>> So I know there?s a way to do this...I?ve seen it posted here before but for
>> the life of me I can?t find the posting.
>> I get a lot of FP?s with sid 1394 (shellcode) on port 25. What?s the way to
>> use oinkmaster to mofidysid to change the second occurrence of ?any? to
>> ?!25?? Thanks all!
> For some examples of modifysid you could take a look at your oinkmaster
> config file. In your special case the following may help:
> modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25"
Just what I needed...thanks Markus..I'll take another look at the config
More information about the Snort-users