negated port ranges (was Re: Constructing Rules)

[Bennett Todd <bet () rahul net>]

2002-11-26-11:05:36 Michael Lougee:
> alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC source route lssr";
> ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418;
> classtype:bad-unknown; sid:500; rev:2;)

I think the closest you can come to that right now is to use three
rules (three copies of the rule):

alert ip $EXTERNAL_NET any -> $HOME_NET    1:79    (msg:"MISC ...
alert ip $EXTERNAL_NET any -> $HOME_NET   82:8079  (msg:"MISC ...
alert ip $EXTERNAL_NET any -> $HOME_NET 8081:65535 (msg:"MISC ...

I haven't actually done this, but as far as I know and as far as I
can tell from The Fine Manual, there shouldn't be any need to change
_anything_ else in the copies of the rules --- I think you can even
leave the sids identical on all three copies. That might bust some
automatic sid-msg.map generators, or other programs that try to
parse the *.rules files directly, I don't know. But I don't see any
reason snort would have a problem with it.

-Bennett

Attachment: _bin
Description: