Snort mailing list archives
Re: Constructing Rules
From: Brian <bmc () snort org>
Date: Tue, 26 Nov 2002 15:19:51 -0500
On Tue, Nov 26, 2002 at 11:05:36AM -0500, Michael Lougee wrote:
Hello all, Just a quick question, when making a rule in snort I want snort to negate/ignore multiple ports, not a range. Is this able to be done? Just an random rule example: alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;) What I am trying to do: alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC source route lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;)
Well, for one, you shouldn't specify ports for IP packets. Ports are somewhat unique to UDP and TCP. Also, port lists don't work yet. Andrew's new parser will probably take care of this. -brian ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Constructing Rules Michael Lougee (Nov 26)
- Re: Constructing Rules Matt Kettler (Nov 26)
- Re: Constructing Rules Brian (Nov 26)
- negated port ranges (was Re: Constructing Rules) Bennett Todd (Nov 26)