[Snort-users] Oinkmaster and 1394

James Lay jlay at ...13475...
Sun Aug 10 21:30:07 EDT 2008




On 8/10/08 2:33 PM, "Markus Lude" <markus.lude at ...348...> wrote:

> On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:
>> So I know there?s a way to do this...I?ve seen it posted here before but for
>> the life of me I can?t find the posting.
>> 
>> I get a lot of FP?s with sid 1394 (shellcode) on port 25.  What?s the way to
>> use oinkmaster to mofidysid to change the second occurrence of ?any? to
>> ?!25??  Thanks all!
> 
> For some examples of modifysid you could take a look at your oinkmaster
> config file. In your special case the following may help:
> 
> modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25"
> 
> Regards,
> Markus
> 


Just what I needed...thanks Markus..I'll take another look at the config
file again.

James






More information about the Snort-users mailing list