[Snort-devel] Maybe I'm missing something...

Will Metcalf william.metcalf at ...2499...
Wed May 5 23:50:29 EDT 2010


Don't forget the colon...
> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024:
>

According to the example in the snort manual this means any port equal
to or greater than 1024, 43844 > 1024.

 "log tcp any :1024 -> 192.168.1.0/24 500:
  log tcp traffic from privileged ports less than or equal to 1024
going to ports greater than or equal to 500
"
Regards,

Will




More information about the Snort-devel mailing list