Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Oinkmaster and 1394

From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 10 Aug 2008 19:30:07 -0600



On 8/10/08 2:33 PM, "Markus Lude" <markus.lude () gmx de> wrote:


On Sun, Aug 10, 2008 at 07:49:08AM -0600, James Lay wrote:

So I know there?s a way to do this...I?ve seen it posted here before but for
the life of me I can?t find the posting.

I get a lot of FP?s with sid 1394 (shellcode) on port 25.  What?s the way to
use oinkmaster to mofidysid to change the second occurrence of ?any? to
?!25??  Thanks all!


For some examples of modifysid you could take a look at your oinkmaster
config file. In your special case the following may help:

modifysid 1394 "\$HOME_NET any" | "\$HOME_NET !25"

Regards,
Markus




Just what I needed...thanks Markus..I'll take another look at the config
file again.

James



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: