RE: newbie-writing rules help

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

> For example only traffic from the outside going to
> port :80,23,8000,8001,8002 and a few more are allowed.
> How must I define this;
> I thought of:
> alert tcp any anu -> any 1[80,23,8000,8001,8002]
> (msg:"Er";)

I'm a little unclear as to what you're trying to accomplish.  Before we even get to rules syntax:

1) If these services are allowed, why does it appear that you're trying to generate alerts every time someone accesses 
them?  That is not intrusion detection, that is accounting (in which case Snort is the wrong tool).

2) Assuming that your alert rule was a simple mistake, what is it that you wish to do?  Do you want to

- Generate alerts when a service *other* than those listed is accessed?
- Simply inspect the traffic for these services using default rules?
- Perform some kind of (very odd) accounting using Snort?

Just a little more information and we'll get you started down the right path!  Please include your Snort version as 
well (just to make sure you're current)...

Cheers

Keith


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users