Snort mailing list archives
How to Craft a rule that negates multiple ports??
From: Alan_Kloster () wstnres com
Date: Tue, 28 May 2002 10:02:45 -0500
I have been trying to craft a rule that will negate traffic coming from ports 80 and 443. Specifically the rule for "DOS MSDTC attempt", which seems to generate an inordinate amount of false positives. Using the syntax ![80,443] or ![80, 443] or ![ 80 443] or !80 !443 or !80,!443 doesn't seem to work as the rules fail to load. The "Guide to Writing Snort Rules" mentions negation of single ports and port ranges, but not the negation of multiple ports not in a range. Also making two separate rules doesn't work either, as the first rule alerts on port 80 successfully, but the second rule doesn't appear to get applied as the traffic on port 443 doesn't alert. I am using Snort 1.8.7. Is this possible? This rule won't load: alert tcp $EXTERNAL_NET ![80,443] -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:2;)May 28
From messages:
09:57:24 snort1 snort: FATAL ERROR: ERROR /usr/local/snort/dos.rules (22) => Invalid port: [80,443] These rules only apply the first instance: alert tcp $EXTERNAL_NET !80 -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:2;) alert tcp $EXTERNAL_NET !443 -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:2;) Alan Kloster alan_kloster () wr com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to Craft a rule that negates multiple ports?? Alan_Kloster (May 29)
- Re: How to Craft a rule that negates multiple ports?? Michael Scheidell (May 29)