[Snort-sigs] more than one port in a rule?

Michael Scheidell scheidell at ...249...
Tue Apr 30 19:57:02 EDT 2002


> Hi,
> 	Since we use a lot of IMAP around here I would like to modify some of
> the snort POP rules to also work with IMAP.  So far as I can tell from
> rtfm I need to actually duplicate the rule with 143 instead of 110. 
> What I would like to do is:
> alert tcp any any -> any [110,143](...)
> 
> Have I got this right? or is there a way to specify a list rather than
> just a range for ports.

 alert tcp any any -> any 110:143
includes so little REAL extra traffic that you should be safe.

to make sure they arn't SENDING it out via web based email or smtp:

 alert tcp any any -> any 25:143

what other REAL ports are in there?

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list