Re: Rule help with multiple port negation

[Alberto Gonzalez <ag-snort () cerebro violating us>]

Im assuming you want to log _EVERYTHING_ except whats headed to dst port 
80,443,110 right?
in your example you have that them as your 'src' port. on the left hand 
side of the direction operator
you could try port negation via 'ranges' like so !80:443  only a handful 
of services run in between..
but you would probably MISS alot....

I know you can specify multiple IP address via [x.x.x.x/32,x.x.x.x/32]
I checked the manual, i only saw port negation via ranges.. not multiple 
"!" ...
I could be wrong, tell me if I am.. take care

hope it helps ( wee 2 cents free )
  
   - Albert

McKim, Tim wrote:

> I want to create a rule that ignores three ports but alerts on everything
> else. 
>
>
> Something like 
>
> alert tcp !$HOME_NET (!80 && !443 && !110) -> $HOME_NET any ..........
>
> I just haven't been able to find what the correct syntax is or if it is even
> possible. If anyone knows how to do this I would appreciate the help.
>
> Thanks, 
>
> Tim 
>
>
>  
--
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users