Snort mailing list archives

Constructing Rules

From: "Michael Lougee" <lougee () usna edu>
Date: Tue, 26 Nov 2002 11:05:36 -0500

Hello all,
  Just a quick question, when making a rule in snort I want snort to negate/ignore multiple
ports, not a range.  Is this able to be done?
 
Just an random rule example:
 
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr;
reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418;
classtype:bad-unknown; sid:500; rev:2;)
 
What I am trying to do:
 
alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC source route lssr";
ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418;
classtype:bad-unknown; sid:500; rev:2;)

This approach comes up with an error, and I have not found another approach that works.
 
Any help would be greatly appreciated.
 
Thanks,
Mike

Current thread:

Constructing Rules Michael Lougee (Nov 26)
- Re: Constructing Rules Matt Kettler (Nov 26)
- Re: Constructing Rules Brian (Nov 26)
- negated port ranges (was Re: Constructing Rules) Bennett Todd (Nov 26)