How to Craft a rule that negates multiple ports??

[Alan_Kloster () wstnres com]

I have been trying to craft a rule that will negate traffic coming from
ports 80 and 443.  Specifically the rule for "DOS MSDTC attempt", which
seems to generate an inordinate amount of false positives.  Using the
syntax ![80,443] or ![80, 443] or ![ 80 443] or !80 !443 or !80,!443
doesn't seem to work as the rules fail to load.  The "Guide to Writing
Snort Rules" mentions negation of single ports and port ranges, but not the
negation of multiple ports not in a range.   Also making two separate rules
doesn't work either, as the first rule alerts on port 80 successfully, but
the second rule doesn't appear to get applied as the traffic on port 443
doesn't alert.  I am using Snort 1.8.7.  Is this possible?

This rule won't load:

alert tcp $EXTERNAL_NET ![80,443] -> $HOME_NET 3372 (msg:"DOS MSDTC
attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
classtype:attempted-dos; sid:1408; rev:2;)May 28

> From messages:

09:57:24 snort1 snort: FATAL ERROR: ERROR /usr/local/snort/dos.rules (22)
=> Invalid port: [80,443]



These rules only apply the first instance:

alert tcp $EXTERNAL_NET !80 -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos;
sid:1408; rev:2;)
alert tcp $EXTERNAL_NET !443 -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos;
sid:1408; rev:2;)


Alan Kloster
alan_kloster () wr com


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users