[Snort-sigs] all but one port option?

Keith Loyd keith at ...2201...
Mon Feb 9 16:17:07 EST 2004


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wanted to thank everyone for the various approaches to my question,
and pointing out where I overlooked the documentation. (RTFM!)

Much appreciation,
Keith

- -----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt
Kettler
Sent: Monday, February 09, 2004 4:08 PM
To: Keith Loyd
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] all but one port option?

At 03:01 PM 2/9/2004, sam at ...219... wrote:
>You should be able to use the Not (!) operator in the ports as well
>as ip addresses...

Yep.. you can do a port, a range of ports, or a negation of either a
single 
port or a range.

The only thing you specifically can't do for ports which you can do
for IP 
addresses is have comma delimited lists of ports.

ie: you can't do things like this:
   any any -> any [80,8080]

but port specs like these are legal:
   any any -> any 80             #only port 80
   any any -> any !80            # anything but port 80
   any any -> any 20:80          #anything from 20 to 80, inclusive
   any any -> any !20:80         #anything other than 20 to 80,
inclusive.




- -------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCgZ9h0WKqFqu6VAEQKNRQCdH/5Wv2QIgsnbzQoKO6ykJEFuQfUAn1Df
PNn5gfKKCLpsv2qjePFDUyMU
=lqBN
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list