Snort mailing list archives

Re: Negation while still using source ports.

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 10 Sep 2001 16:38:42 -0700 (PDT)

On Mon, 10 Sep 2001, Vjay LaRosa wrote:

I have been fooling around with this rule all day and I was wondering if
some one could be so kind as to help me out. I want to ignore my DNS
servers in this alert. Here is the rule.


alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
(msg:"MISC TCP source port 53 to <1024"; flags:S;
reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)


[...snip...]

As others have pointed out, this is not doable with the current rules parser.

Why don't you use a pass rule and then use the -o commandline option?
Something like:

pass udp $DNS_SERVERS 53 <> $HOME_NET any
pass tcp $DNS_SERVERS 53 <> $HOME_NET any

Or if worse comes to worse, you could use a BPF filter on the command line....

No warranty implied or intended.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Negation while still using source ports. Vjay LaRosa (Sep 10)
- Re: Negation while still using source ports. Dragos Ruiu (Sep 10)
  - NULL *froot ? Frank Reid (Sep 27)
- Re: Negation while still using source ports. Phil Wood (Sep 10)
- Re: Negation while still using source ports. Erek Adams (Sep 10)