Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Constructing Rules

From: Brian <bmc () snort org>
Date: Tue, 26 Nov 2002 15:19:51 -0500
On Tue, Nov 26, 2002 at 11:05:36AM -0500, Michael Lougee wrote:

Hello all,
  Just a quick question, when making a rule in snort I want snort to negate/ignore multiple
ports, not a range.  Is this able to be done?
 
Just an random rule example:
 
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr;
reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418;
classtype:bad-unknown; sid:500; rev:2;)
 
What I am trying to do:
 
alert ip $EXTERNAL_NET any -> $HOME_NET !80,!81,!8080 (msg:"MISC source route lssr";
ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418;
classtype:bad-unknown; sid:500; rev:2;)


Well, for one, you shouldn't specify ports for IP packets.  Ports are somewhat unique to 
UDP and TCP.  

Also, port lists don't work yet.  Andrew's new parser will probably take care of this.

-brian


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: