Re: Negation while still using source ports.

[Dragos Ruiu <dr () kyx net>]

What you're trying to do is a little beyond snort's address lists.

Your rule is actually providing an extra field to the snort rule parser that is
confusing it.  Try using just the negated address list and not $EXTERNAL_NET.

cheers,
--dr

On Mon, 10 Sep 2001, Vjay LaRosa wrote:
> Hello,
>
> I have been fooling around with this rule all day and I was wondering if
> some one could be so kind as to help me out. I want to ignore my DNS
> servers in this alert. Here is the rule.
>
>
> alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
> (msg:"MISC TCP source port 53 to <1024"; flags:S;
> reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
>
> When I take out the source port it seems to work. Is there another way I
> should be doing this?
> Thanks!
>
> vjl
>
> --
>  V.Jay LaRosa                           EMC Corporation
>  Systems Administrator                  171 South Street
>  (508)435-1000 ext 14957                Hopkinton, MA 01748
>  (508)497-8082 fax                      www.emc.com

----------------------------------------
Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: 7bit
Content-Description: 
----------------------------------------

-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users