Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on port lists and negation

From: "Richard Bejtlich" <taosecurity () gmail com>
Date: Tue, 9 Oct 2007 22:18:25 -0400
On 10/8/07, John Curry <john.curry () metre net> wrote:

Hello Richard,

I believe something like the following should work, without the use of 'flow' in the rule.

alert tcp any !PORTS -> any !PORTS

The rule needs apply to packets going to and coming from the ports in the PORTS list.  I have not found the "->" 
token to do anything to enforce direction since at least 2.4.3.  I've had to rely on the 'flow' option to enforce a 
packet direction for TCP sessions.



Hi John,

Wow, that is an interesting observation regarding -> and 2.4.3.  Can
anyone from Sourcefire confirm this?

Thank you,

Richard

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: