[Snort-sigs] all but one port option?
j.riden at ...1766...
Mon Feb 9 11:23:09 EST 2004
"Keith Loyd" <keith at ...2201...> writes:
> The answer is probably no, but I will ask anyway.
> Is it possible to write a rule that listens in on all but one port?
> Say I wanted to listen to all TCP except port 80.
Like this? :)
var SHELLCODE_PORTS !80
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|"; reference:arachnids,284; classtype:system-call-detec\t; sid:649; rev:5;)
This one is for all IP, not just TCP, but you get the general idea.
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Snort-sigs