Snort mailing list archives
Re: Oinkmaster and 1394
From: Markus Lude <markus.lude () gmx de>
Date: Sun, 10 Aug 2008 22:33:14 +0200
On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:
So I know there?s a way to do this...I?ve seen it posted here before but for the life of me I can?t find the posting. I get a lot of FP?s with sid 1394 (shellcode) on port 25. What?s the way to use oinkmaster to mofidysid to change the second occurrence of ?any? to ?!25?? Thanks all!
For some examples of modifysid you could take a look at your oinkmaster config file. In your special case the following may help: modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25" Regards, Markus ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Oinkmaster and 1394 James Lay (Aug 10)
- Re: Oinkmaster and 1394 Markus Lude (Aug 10)
- Re: Oinkmaster and 1394 James Lay (Aug 10)
- Re: Oinkmaster and 1394 Joel Esler (Aug 11)
- Re: Oinkmaster and 1394 James Lay (Aug 10)
- Re: Oinkmaster and 1394 Markus Lude (Aug 10)