[Snort-sigs] Multiple ranges of ports

Erek Adams erek at ...101...
Thu Aug 15 15:43:01 EDT 2002


On Thu, 15 Aug 2002 rjohnson at ...759... wrote:

> I would like to write a rule to detect traffic that should not be on my
> network, however my range is not contiguous.
> So something like
> log tcp any !80 !443 <> any any
>
> >From my understading this feature won't be available until snort 2.0. Any
> workarounds, without having to make rules for countless ports that should
> not be on my net?

Well...  Here's a snippet from the ChangeLog from 1.9 CVS.

--
2002-08-13  Chris Green  <cmg at ...435...>

        * src/preprocessors/spp_conversation.c:
          new option alert_odd_protocols
          set allowed_ip_protocols to the numbers you like and it will alert
          on all bad protocols
--

Sounds like that would be close to what you want.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-sigs mailing list