Wednesday, June 1, 2016

snort oinkmaster

To modify Signatures using oinkmaster.

modifysid 1000000 "\$EXTERNAL_NET" | "!\$HOME_NET"

modifysid 1000001 "\$EXTERNAL_NET" | "![10.0.0.1,10.0.0.2]"

modifysid 1000001 "\-> any" | "\-> ![10.0.0.1]"

disablesid 1000002

DANGER:  Don't you dare leave spaces between the IP address while you are negating them in modifysid shown in the second line.  The reference for that is shown below from snort manual.