[Snort-users] RE: [Snort-sigs] ports

Jason security at ...704...
Wed Jan 5 08:43:40 EST 2005


IIRC this is the the FAQ or the manual

var SPECIFIC_PORT 21
include port_list.rules

var SPECIFIC_PORT 110
include port_list.rules

Joe Patterson wrote:
> 
> um, false.  The second variable definition would override the first, 
> which would leave you with the equivalent of:
>  
> alert tcp any 110 -> any any blah blah
> which is not what you want.
>  
> -Joe
> 
>     -----Original Message-----
>     *From:* snort-sigs-admin at lists.sourceforge.net
>     [mailto:snort-sigs-admin at lists.sourceforge.net]*On Behalf Of *Esler,
>     Joel - Contractor
>     *Sent:* Wednesday, January 05, 2005 8:01 AM
>     *To:* snort-sigs at lists.sourceforge.net;
>     snort-users at lists.sourceforge.net
>     *Subject:* RE: [Snort-sigs] ports
> 
>     you can't do a list of ports, the best you can do is something like
>      
>     ---snort.conf----
>     var SPECIFIC_PORT 21
>     var SPECIFIC_PORT 110
>      
>     then in your rule
>      
>     alert tcp any $SPECIFIC_PORT -> any any blah blah.
> 
>         -----Original Message-----
>         *From:* snort-sigs-admin at lists.sourceforge.net
>         [mailto:snort-sigs-admin at lists.sourceforge.net] *On Behalf Of
>         *reynald
>         *Sent:* Tuesday, January 04, 2005 10:49 PM
>         *To:* snort-sigs at lists.sourceforge.net
>         *Cc:* Reynald Mahinay
>         *Subject:* [Snort-sigs] ports
> 
>         Hello,
>          
>         How can i define a list of ports? eg. 25,110 doesn't work... Now
>         i know snort can do
>         port ranging, but how about a specific list of ports only.
>          
>         please help..thanks
>          
>          
>         reynald 




More information about the Snort-sigs mailing list