[Snort-sigs] all but one port option?

Matt Kettler mkettler at ...189...
Mon Feb 9 14:10:15 EST 2004


At 03:01 PM 2/9/2004, sam at ...219... wrote:
>You should be able to use the Not (!) operator in the ports as well as ip
>addresses...

Yep.. you can do a port, a range of ports, or a negation of either a single 
port or a range.

The only thing you specifically can't do for ports which you can do for IP 
addresses is have comma delimited lists of ports.

ie: you can't do things like this:
   any any -> any [80,8080]

but port specs like these are legal:
   any any -> any 80             #only port 80
   any any -> any !80            # anything but port 80
   any any -> any 20:80          #anything from 20 to 80, inclusive
   any any -> any !20:80         #anything other than 20 to 80, inclusive.






More information about the Snort-sigs mailing list