Snort mailing list archives

Previous By Date Next
Previous By Thread Next

multiple ports in rule

From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: Wed, 17 Dec 2003 10:19:05 -0800
I enabled checking of p2p rules, and this morning I had 8,500 alert of
p2p GNUTella GET, which turned out to all be to the mail server.

I look at the offending rule which looks like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432;  rev:3;)

Is there a way to specify not to use port 25 either?

ie [!80 !25] or something?

This is snort v 2.0.1 by the way.

--Bryan



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: