Snort mailing list archives
Constructing Rules
From: "Michael Lougee" <lougee () usna edu>
Date: Tue, 26 Nov 2002 11:05:36 -0500
Hello all, Just a quick question, when making a rule in snort I want snort to negate/ignore multiple ports, not a range. Is this able to be done? Just an random rule example: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;) What I am trying to do: alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC source route lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;) This approach comes up with an error, and I have not found another approach that works. Any help would be greatly appreciated. Thanks, Mike
Current thread:
- Constructing Rules Michael Lougee (Nov 26)
- Re: Constructing Rules Matt Kettler (Nov 26)
- Re: Constructing Rules Brian (Nov 26)
- negated port ranges (was Re: Constructing Rules) Bennett Todd (Nov 26)