[Snort-sigs] A question about Snort

Esler, Joel Contractor EslerJ at ...785...
Fri Jun 13 04:14:08 EDT 2003


I am assuming you don't want to do a !80:8080

-----Original Message-----
From: Erek Adams [mailto:erek at ...95...]
Sent: Friday, June 13, 2003 6:15 AM
To: Maria Teresa Herrera Hueso
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] A question about Snort


On Tue, 10 Jun 2003, Maria Teresa Herrera Hueso wrote:

> we have installed Snort 2.0. We would like to make our own alerts for
Snort.
>
> We would like to modify this alert:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
>
> to specify ! 80 and ! 8080, I mean, there were no alerts these ports( 80
> and 8080) , but we do not know how to write it. How could we do it?
> Could you to send us a manual  about this, please?

You can't.  Snort can't do 'port lists'.

You just need to copy the rule and change the port on the copy.

Check the source tarball for the manual, or check Snort.org under
'documentation'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list