[Snort-sigs] more than one port in a rule?
scheidell at ...249...
Tue Apr 30 19:57:02 EDT 2002
> Since we use a lot of IMAP around here I would like to modify some of
> the snort POP rules to also work with IMAP. So far as I can tell from
> rtfm I need to actually duplicate the rule with 143 instead of 110.
> What I would like to do is:
> alert tcp any any -> any [110,143](...)
> Have I got this right? or is there a way to specify a list rather than
> just a range for ports.
alert tcp any any -> any 110:143
includes so little REAL extra traffic that you should be safe.
to make sure they arn't SENDING it out via web based email or smtp:
alert tcp any any -> any 25:143
what other REAL ports are in there?
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
More information about the Snort-sigs