Negation while still using source ports.

[Vjay LaRosa <vjayl () emc com>]

Hello,

I have been fooling around with this rule all day and I was wondering if
some one could be so kind as to help me out. I want to ignore my DNS
servers in this alert. Here is the rule.


alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
(msg:"MISC TCP source port 53 to <1024"; flags:S;
reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)

When I take out the source port it seems to work. Is there another way I
should be doing this?
Thanks!

vjl

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com