[Snort-sigs] A question about Snort

Erek Adams erek at ...95...
Fri Jun 13 03:15:14 EDT 2003


On Tue, 10 Jun 2003, Maria Teresa Herrera Hueso wrote:

> we have installed Snort 2.0. We would like to make our own alerts for Snort.
>
> We would like to modify this alert:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
> to specify ! 80 and ! 8080, I mean, there were no alerts these ports( 80
> and 8080) , but we do not know how to write it. How could we do it?
> Could you to send us a manual  about this, please?

You can't.  Snort can't do 'port lists'.

You just need to copy the rule and change the port on the copy.

Check the source tarball for the manual, or check Snort.org under
'documentation'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list