[Snort-sigs] A question about Snort
erek at ...95...
Fri Jun 13 03:15:14 EDT 2003
On Tue, 10 Jun 2003, Maria Teresa Herrera Hueso wrote:
> we have installed Snort 2.0. We would like to make our own alerts for Snort.
> We would like to modify this alert:
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
> to specify ! 80 and ! 8080, I mean, there were no alerts these ports( 80
> and 8080) , but we do not know how to write it. How could we do it?
> Could you to send us a manual about this, please?
You can't. Snort can't do 'port lists'.
You just need to copy the rule and change the port on the copy.
Check the source tarball for the manual, or check Snort.org under
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-sigs