[Snort-sigs] Not-ing out ports

waldo kitty wkitty42 at ...3507...
Mon May 13 11:09:08 EDT 2013

On 5/13/2013 10:19, Lay, James wrote:
> Guessing you’ll want the !25 on both ends since it’s bidirectional:
> alert tcp !25 any <> any !25

note:  alert tcp any !25 <> any !25

i thought the same thing but then i thought about someone using port 25 to 
tunnel like some do with port 53 and that didn't seem to be a good idea...

@OP: i'd take that rule and split it into at least two separate ones... one for 
inbound and one for outbound... put these in your local.rules and disable the 
current one that doesn't work as desired... then, maybe contact those who wrote 
it and ask for a fix... maybe even provide your two working ones with an 
explanation of why the original isn't working as desired ;)

> James
> *From:*John Wiltberger [mailto:johwiltb at ...2420...]
> *Sent:* Monday, May 13, 2013 5:01 AM
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* [Snort-sigs] Not-ing out ports
> So I have a question. When dealing with bi-directional signatures (I know, they
> aren't ideal in the least, but sometimes you can't help who develops your
> signatures), if you choose to not-out a port (as in !<port number>), does snort
> run a boolean OR on the traffic (as in 'if source port != <port number OR
> destination port != <port number>)?
> Reason is, I have a signature that's header is 'alert tcp any any <> any !25',
> yet it is still alerting off of traffic over port 25. I'm sorry if these seems
> confusing, I can't think of a better way of stating this. Any thoughts?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-sigs mailing list