[Snort-devel] Port Matching Logic
snort.user at ...2499...
Mon Nov 3 14:22:56 EST 2008
Hello and greetings!
If a portvar definition has conflicting meaning, for example -
portvar HTTP_PORTS [80,!0:1024]
alert tcp any any -> any $HTTP_PORTS (............);
If a TCP packet has destination port 80, then should it match or not ?
80 says the packet should match
!0:1024 says it should not match
In snort 2.8 this results in a mismatch.
Should such inconsistencies be caught during rule parsing?
or be left to the rule writer to avoid?
The thing is sometimes it maybe confusing and so hard to avoid.
More information about the Snort-devel