[Snort-sigs] A question about Snort

Anthony Kim Anthony.Kim at ...1587...
Thu Jun 12 12:51:11 EDT 2003

On Thu, Jun 12, 2003, adam.w.hogan wrote:

> The way I have the P2P GNUTella GET rule is:
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"P2P GNUTella
> GET"; 
> flow:to_server,established; content:"GET "; offset:0; depth:4; 
> classtype:policy-violation; sid:1432; rev:4;)
> Of coarse, you'll need to define $HTTP_PORTS in snort.conf.  Or you
> could just replace !$HTTP_PORTS in the rule with ![80, 8080].

No the latter won't work.  A port list is not yet supported.  You
can either specify a port range using the ':' operator or,
specify a single port, or use a keyword like 'any'.

A port list is on my wish list but I have to cough up some
bounty for the developers ;-)

More information about the Snort-sigs mailing list