[Snort-sigs] A question about Snort
Anthony.Kim at ...1587...
Thu Jun 12 12:51:11 EDT 2003
On Thu, Jun 12, 2003, adam.w.hogan wrote:
> The way I have the P2P GNUTella GET rule is:
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"P2P GNUTella
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
> Of coarse, you'll need to define $HTTP_PORTS in snort.conf. Or you
> could just replace !$HTTP_PORTS in the rule with ![80, 8080].
No the latter won't work. A port list is not yet supported. You
can either specify a port range using the ':' operator or,
specify a single port, or use a keyword like 'any'.
A port list is on my wish list but I have to cough up some
bounty for the developers ;-)
More information about the Snort-sigs