[Snort-users] Oinkmaster and 1394

Joel Esler eslerj at ...11827...
Mon Aug 11 09:06:13 EDT 2008


There are a bunch of examples in the oinkmaster.conf file -- btw.

J

On Aug 10, 2008, at 9:30 PM, James Lay wrote:

>
>
>
> On 8/10/08 2:33 PM, "Markus Lude" <markus.lude at ...348...> wrote:
>
>> On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:
>>> So I know there?s a way to do this...I?ve seen it posted here  
>>> before but for
>>> the life of me I can?t find the posting.
>>>
>>> I get a lot of FP?s with sid 1394 (shellcode) on port 25.  What?s  
>>> the way to
>>> use oinkmaster to mofidysid to change the second occurrence of ? 
>>> any? to
>>> ?!25??  Thanks all!
>>
>> For some examples of modifysid you could take a look at your  
>> oinkmaster
>> config file. In your special case the following may help:
>>
>> modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25"
>>
>> Regards,
>> Markus
>>
>
>
> Just what I needed...thanks Markus..I'll take another look at the  
> config
> file again.
>
> James
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler
  http://blog.joelesler.nethttp://www.dearcupertino.com
[m]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080811/19fa8f34/attachment.html>


More information about the Snort-users mailing list