[Snort-sigs] Multiple ranges of ports

Erek Adams erek at ...101...
Thu Aug 15 15:43:01 EDT 2002

On Thu, 15 Aug 2002 rjohnson at ...759... wrote:

> I would like to write a rule to detect traffic that should not be on my
> network, however my range is not contiguous.
> So something like
> log tcp any !80 !443 <> any any
> >From my understading this feature won't be available until snort 2.0. Any
> workarounds, without having to make rules for countless ports that should
> not be on my net?

Well...  Here's a snippet from the ChangeLog from 1.9 CVS.

2002-08-13  Chris Green  <cmg at ...435...>

        * src/preprocessors/spp_conversation.c:
          new option alert_odd_protocols
          set allowed_ip_protocols to the numbers you like and it will alert
          on all bad protocols

Sounds like that would be close to what you want.


Erek Adams

More information about the Snort-sigs mailing list