[Snort-devel] Port Matching Logic

snort user snort.user at ...2499...
Mon Nov 3 14:22:56 EST 2008


Hello and greetings!

If a portvar definition has conflicting meaning, for example -

portvar HTTP_PORTS [80,!0:1024]
alert tcp any any -> any $HTTP_PORTS (............);

If a TCP packet has destination port 80, then should it match or not ?

80 says the packet should match
!0:1024 says it should not match

In snort 2.8 this results in a mismatch.

Should such inconsistencies be caught during rule parsing?
or be left to the rule writer to avoid?

The thing is sometimes it maybe confusing and so hard to avoid.


Thoughts?




More information about the Snort-devel mailing list