Re: Question on port lists and negation

["Scott Dexter" <scott.dexter () gmail com>]

I believe he is referring to snort 2.8 which does support port lists.

On 10/8/07, Matt Kettler <mkettler () evi-inc com> wrote:
> Richard Bejtlich wrote:
> > Hello,
> >
> > As I mentioned to roesch and WuTang in IRC, I am playing with port
> > lists and negation.
> >
> > Say I create this snort.conf:
> >
> > portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
> > alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)
>
> port specs cannot be comma-delimited lists like that, IIRC.
>
> For ports you can specify:
>         a port [80]
>         a continuous range of ports [1:1023]
>         or a negation of either of the above.
>
> But you cannot do things like [80,88]. That syntax only works for IP addresses.
>
> See also, the docs on port numbers in rules:
>
> http://www.snort.org/docs/snort_htmanuals/htmanual_2615/node153.html


-- 
Scott Dexter

Ignorance more frequently begets confidence than does knowledge: it is
those who know little, not those who know much, who so positively
assert that this or that problem will never be solved by science.
        Charles Darwin
        English biologist (1809 - 1882)

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users