Snort mailing list archives
port ranges/selection
From: "Jonathan J. Hart" <jhart () ccs neu edu>
Date: Wed, 18 Jul 2001 21:59:38 -0400 (EDT)
Hey there, I'm trying to write a rule that'll log and alert me of all traffic _not_ on a set of ports. For example, I want to log all traffic to a machine that is not bound for port 21, 80, or 443. I can do a single port (i.e., !X where X is the port number), but that only works when I want to eliminate a single port. Is there a syntax that'll allow this? I'd like to do something like: alert tcp ![$myhosts] any -> $WEB_SERVER ![21,80,443] (msg: "Foo";) ...where that'd log all connections from the world to ports other than 21,80,443. Ideas? I checked the man pages, the updated "writing snort rules" document and every example I could find locally and on the web without success. I can do this from the command line using the tcpdump-ish syntax: snort -i xl0 -Cvd ! port 80 and ! port 21 and ! port 443 And that gets me the expected results. Thanks for any help/clues you can give me. -jon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- port ranges/selection Jonathan J. Hart (Jul 18)
- Re: port ranges/selection Jim Forster (Jul 19)