Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Not-ing out ports

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 13 May 2013 11:09:08 -0400
On 5/13/2013 10:19, Lay, James wrote:

Guessing you’ll want the !25 on both ends since it’s bidirectional:

alert tcp !25 any <> any !25


note:  alert tcp any !25 <> any !25

i thought the same thing but then i thought about someone using port 25 to 
tunnel like some do with port 53 and that didn't seem to be a good idea...

@OP: i'd take that rule and split it into at least two separate ones... one for 
inbound and one for outbound... put these in your local.rules and disable the 
current one that doesn't work as desired... then, maybe contact those who wrote 
it and ask for a fix... maybe even provide your two working ones with an 
explanation of why the original isn't working as desired ;)


James

*From:*John Wiltberger [mailto:johwiltb () gmail com]
*Sent:* Monday, May 13, 2013 5:01 AM
*To:* snort-sigs () lists sourceforge net
*Subject:* [Snort-sigs] Not-ing out ports

So I have a question. When dealing with bi-directional signatures (I know, they
aren't ideal in the least, but sometimes you can't help who develops your
signatures), if you choose to not-out a port (as in !<port number>), does snort
run a boolean OR on the traffic (as in 'if source port != <port number OR
destination port != <port number>)?

Reason is, I have a signature that's header is 'alert tcp any any <> any !25',
yet it is still alerting off of traffic over port 25. I'm sorry if these seems
confusing, I can't think of a better way of stating this. Any thoughts?




-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: