Snort mailing list archives
negated port ranges (was Re: Constructing Rules)
From: Bennett Todd <bet () rahul net>
Date: Tue, 26 Nov 2002 14:44:00 -0500
2002-11-26-11:05:36 Michael Lougee:
alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC source route lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;)
I think the closest you can come to that right now is to use three rules (three copies of the rule): alert ip $EXTERNAL_NET any -> $HOME_NET 1:79 (msg:"MISC ... alert ip $EXTERNAL_NET any -> $HOME_NET 82:8079 (msg:"MISC ... alert ip $EXTERNAL_NET any -> $HOME_NET 8081:65535 (msg:"MISC ... I haven't actually done this, but as far as I know and as far as I can tell from The Fine Manual, there shouldn't be any need to change _anything_ else in the copies of the rules --- I think you can even leave the sids identical on all three copies. That might bust some automatic sid-msg.map generators, or other programs that try to parse the *.rules files directly, I don't know. But I don't see any reason snort would have a problem with it. -Bennett
Attachment:
_bin
Description:
Current thread:
- Constructing Rules Michael Lougee (Nov 26)
- Re: Constructing Rules Matt Kettler (Nov 26)
- Re: Constructing Rules Brian (Nov 26)
- negated port ranges (was Re: Constructing Rules) Bennett Todd (Nov 26)