[Snort-sigs] A question about Snort
mkettler at ...189...
Thu Jun 12 13:48:16 EDT 2003
At 02:50 PM 6/12/2003 -0500, Anthony Kim wrote:
>On Thu, Jun 12, 2003, adam.w.hogan wrote:
> > The way I have the P2P GNUTella GET rule is:
> > alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"P2P GNUTella
> > GET";
> > flow:to_server,established; content:"GET "; offset:0; depth:4;
> > classtype:policy-violation; sid:1432; rev:4;)
> > Of coarse, you'll need to define $HTTP_PORTS in snort.conf. Or you
> > could just replace !$HTTP_PORTS in the rule with ![80, 8080].
>No the latter won't work. A port list is not yet supported. You
>can either specify a port range using the ':' operator or,
>specify a single port, or use a keyword like 'any'.
>A port list is on my wish list but I have to cough up some
>bounty for the developers ;-)
You can however kludge this "exclusion of two ports" by making 3 rules..
one covering 0:78, one for 81:8079 and one for 8081:65535.
It's a little less convenient, but it's the same effect as ![80,8080] would
have, if it were supported.
More information about the Snort-sigs