Snort mailing list archives

Re: Negation while still using source ports.

From: Phil Wood <cpw () lanl gov>
Date: Mon, 10 Sep 2001 17:14:27 -0600

On Mon, Sep 10, 2001 at 05:28:49PM -0400, Vjay LaRosa wrote:

Hello,

I have been fooling around with this rule all day and I was wondering if
some one could be so kind as to help me out. I want to ignore my DNS
servers in this alert. Here is the rule.


alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023

                                      ^

That space breaks the parsing.  You might get away with:

             ![$HOME_NET,X.X.X.X,XXX.XXX.XXX.XXX] 53 -> $HOME_NET :1023

(msg:"MISC TCP source port 53 to <1024"; flags:S;
reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)

When I take out the source port it seems to work. Is there another way I
should be doing this?
Thanks!

vjl

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Negation while still using source ports. Vjay LaRosa (Sep 10)
- Re: Negation while still using source ports. Dragos Ruiu (Sep 10)
  - NULL *froot ? Frank Reid (Sep 27)
- Re: Negation while still using source ports. Phil Wood (Sep 10)
- Re: Negation while still using source ports. Erek Adams (Sep 10)