[Snort-sigs] all but one port option?

SRH-Lists giermo at ...1992...
Mon Feb 9 13:45:03 EST 2004


> The answer is probably no, but I will ask anyway.
> 
> Is it possible to write a rule that listens in on all but one port? 
> Say I wanted to listen to all TCP except port 80.
> 
> Thanks,
> Keith

Suprise!!!
The answer is yes.

http://www.snort.org/docs/snort_manual/node11.html#SECTION00324000000000
000000

alert tcp $EXTERNAL_NET any -> $HOME_NET !80 (blah balh blah blah)

-steve




More information about the Snort-sigs mailing list