[Snort-sigs] A question about Snort

Esler, Joel Contractor EslerJ at ...785...
Fri Jun 13 04:14:08 EDT 2003

I am assuming you don't want to do a !80:8080

-----Original Message-----
From: Erek Adams [mailto:erek at ...95...]
Sent: Friday, June 13, 2003 6:15 AM
To: Maria Teresa Herrera Hueso
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] A question about Snort

On Tue, 10 Jun 2003, Maria Teresa Herrera Hueso wrote:

> we have installed Snort 2.0. We would like to make our own alerts for
> We would like to modify this alert:
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
> to specify ! 80 and ! 8080, I mean, there were no alerts these ports( 80
> and 8080) , but we do not know how to write it. How could we do it?
> Could you to send us a manual  about this, please?

You can't.  Snort can't do 'port lists'.

You just need to copy the rule and change the port on the copy.

Check the source tarball for the manual, or check Snort.org under


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list