[Snort-users] Snort rules over-use "any"?

Jason Haar Jason.Haar at ...294...
Tue Sep 5 19:41:09 EDT 2000

I just got a couple of bogus alerts, and I think I can see why.

Most of the rules are of the form:

alert TCP $INTERNAL 777 -> $EXTERNAL any (msg: "IDS114/trojan-active-aimspy"; flags: SA;)

That says any internal address port 777 that sends TCP data to any external
address on any port number should match....

Why any port number? Surely this should be 1024: instead of any? 

I know, I know, some broken IP stacks and apps - like some Windows apps -
use port numbers < 1024 when they're meant to be above it - but what do
these actual attacks use? If the bad software uses > 1024, then so should


Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list