[Snort-sigs] more than one port in a rule?

Matt Kettler mkettler at ...189...
Tue Apr 30 20:16:04 EDT 2002


Well, after reading the fine manual on specifying ports in rules:

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.4

There is no way (at least not a documented one) to specificy a list of 
ports. Ports are either any, single, a range, or a negation of any of the 
previous three.

I'd simply create two rules. Besides, this way you can indicate in the 
alert message what kind of mail exchange the virus (I assume it's one of 
the virus rules you're messing with) is going over.


I have my own versions of the virus rules which include SMTP (inbound), 
SMTP (outbound) and POP versions, each of which indicates what's going on 
in the alert message. I tend be a bit more reactive to the outbound ones, 
because it means someone actually activated the virus without an 
appropriate scanner inside my network (ouch!).


At 02:31 PM 5/1/2002 +1200, Russell Fulton wrote:
>Hi,
>         Since we use a lot of IMAP around here I would like to modify some of
>the snort POP rules to also work with IMAP.  So far as I can tell from
>rtfm I need to actually duplicate the rule with 143 instead of 110.
>What I would like to do is:
>alert tcp any any -> any [110,143](...)
>
>Have I got this right? or is there a way to specify a list rather than
>just a range for ports.
>
>--
>Russell Fulton, Computer and Network Security Officer
>The University of Auckland,  New Zealand





More information about the Snort-sigs mailing list