[Snort-sigs] all but one port option?

James Riden j.riden at ...1766...
Mon Feb 9 11:23:09 EST 2004


"Keith Loyd" <keith at ...2201...> writes:

>  
> The answer is probably no, but I will ask anyway.
>
> Is it possible to write a rule that listens in on all but one port? 
> Say I wanted to listen to all TCP except port 80.
>
> Thanks,
> Keith

Like this? :)


from snort.conf: 

var SHELLCODE_PORTS !80


from shellcode.rules:

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|"; reference:arachnids,284; classtype:system-call-detec\t; sid:649; rev:5;)

This one is for all IP, not just TCP, but you get the general idea.

 cheers,
  Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-sigs mailing list