[Snort-sigs] Rule with two ports

Brian bmc at ...95...
Fri Mar 1 10:43:14 EST 2002


According to Suzanne.VanPatten at ...394...:
> I'm trying to write a snort rule that allows me to alert on all traffic of a
> type that is not to two distinct ports...tried !porta!portb and all
> combinations I could think of (including creating a variable, i.e. PORTTEST
> [1,3]. Is there a way to do this??

Only if the ports are sequential.

For example : alert udp any any -> any any 161:162 (msg:"snmp";)

-- 
The plague, dirt, lack of running water, illiteracy, ignorance, and
oppressive political and social systems are what made the dark ages what
they were.





More information about the Snort-sigs mailing list