port ranges/selection

["Jonathan J. Hart" <jhart () ccs neu edu>]

Hey there,

I'm trying to write a rule that'll log and alert me of all traffic _not_
on a set of ports.  

For example, I want to log all traffic to a machine that is not bound for
port 21, 80, or 443.  I can do a single port (i.e., !X where X is the port
number), but that only works when I want to eliminate a single port.  Is
there a syntax that'll allow this?  I'd like to do something like:

alert tcp ![$myhosts] any -> $WEB_SERVER ![21,80,443] (msg: "Foo";)

...where that'd log all connections from the world to ports other than
21,80,443.

Ideas?  I checked the man pages, the updated "writing snort
rules" document and every example I could find locally and on the web
without success.

I can do this from the command line using the tcpdump-ish syntax:
        
        snort -i xl0 -Cvd ! port 80 and ! port 21 and ! port 443

And that gets me the expected results.

Thanks for any help/clues you can give me.

-jon


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users