Stoopid port syntax question

["Kristopher Czachor" <czachor () syrres com>]

Hey all,

 

I looked at Marty's bible, even read the FAQ. I understand that, in rule
creation, I can set up a range of ports using the : operator, but how do
I set up one rule to look for a hand full of widely scattered ports,
like 21,23,80,443, etc.

 

Here's an example which might better help explain:

alert tcp 192.168.15.1 any -> 192.168.45.24 21,23,80 (content <blah blah
blah>)

 

Is something like that possible? I tried this and snort squeals. IMHO,
it'd seem like this would help if I have a hand full of web servers all
running on different ports. 

 

As always, thanks in advance.

 

Kris