[Snort-sigs] A question about Snort

Matt Kettler mkettler at ...189...
Thu Jun 12 13:48:16 EDT 2003


At 02:50 PM 6/12/2003 -0500, Anthony Kim wrote:
>On Thu, Jun 12, 2003, adam.w.hogan wrote:
>
> > The way I have the P2P GNUTella GET rule is:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"P2P GNUTella
> > GET";
> > flow:to_server,established; content:"GET "; offset:0; depth:4;
> > classtype:policy-violation; sid:1432; rev:4;)
> >
> > Of coarse, you'll need to define $HTTP_PORTS in snort.conf.  Or you
> > could just replace !$HTTP_PORTS in the rule with ![80, 8080].
>
>No the latter won't work.  A port list is not yet supported.  You
>can either specify a port range using the ':' operator or,
>specify a single port, or use a keyword like 'any'.
>
>A port list is on my wish list but I have to cough up some
>bounty for the developers ;-)

You can however kludge this "exclusion of two ports" by making 3 rules.. 
one covering 0:78, one for 81:8079 and one for 8081:65535.

It's a little less convenient, but it's the same effect as ![80,8080] would 
have, if it were supported.







More information about the Snort-sigs mailing list