Re: newbie-writing rules help

[Erek Adams <erek () theadamsfamily net>]

On Mon, 22 Jul 2002, charella constansia wrote:

> hai,
>
> I hav a question! I'm a newbie so maybe this sounds
> like a stupid question to you but please help me.
>
> I want to write some rules.
> I problem is that I have a server and only certain
> activities are allowed.
>
> For example only traffic from the outside going to
> port :80,23,8000,8001,8002 and a few more are allowed.
> How must I define this;
> I thought of:
> alert tcp any anu -> any 1[80,23,8000,8001,8002]
> (msg:"Er";)
> Is this good. I looked in the Snort users manual but I
> couldn't find the answer.

If I'm correct you meant to write:

        alert tcp any any -> any ![80,23,8000,8001,8002] (msg:"Er";)

If so...  Sorry, that won't work.  Snort does not handle port lists at the
moment, so you can't use a list of any sort to define that.

Now, keep in mind snort will only 'alert' you.  It's not a firewall or a
packet filter.  There are other programs that you should use if that's what
you want to do.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users