[Snort-sigs] more than one port in a rule?
mkettler at ...189...
Tue Apr 30 20:16:04 EDT 2002
Well, after reading the fine manual on specifying ports in rules:
There is no way (at least not a documented one) to specificy a list of
ports. Ports are either any, single, a range, or a negation of any of the
I'd simply create two rules. Besides, this way you can indicate in the
alert message what kind of mail exchange the virus (I assume it's one of
the virus rules you're messing with) is going over.
I have my own versions of the virus rules which include SMTP (inbound),
SMTP (outbound) and POP versions, each of which indicates what's going on
in the alert message. I tend be a bit more reactive to the outbound ones,
because it means someone actually activated the virus without an
appropriate scanner inside my network (ouch!).
At 02:31 PM 5/1/2002 +1200, Russell Fulton wrote:
> Since we use a lot of IMAP around here I would like to modify some of
>the snort POP rules to also work with IMAP. So far as I can tell from
>rtfm I need to actually duplicate the rule with 143 instead of 110.
>What I would like to do is:
>alert tcp any any -> any [110,143](...)
>Have I got this right? or is there a way to specify a list rather than
>just a range for ports.
>Russell Fulton, Computer and Network Security Officer
>The University of Auckland, New Zealand
More information about the Snort-sigs