[Snort-users] "All except" rules

Johnathan Corgan jcorgan at ...1638...
Thu Mar 22 10:54:03 EST 2001


Being new user to snort, I'm not quite up to speed on the rules language.  
However, I don't see how to program a rule that would trigger on "all 
destination ports except these specified well known ports".

I'd like to log all tcp SYN attempts to any port that aren't in a well known 
list such as pop3, www, ftp, smtp, etc.

Am I really, really missing something simple?  Appropriate embarassment will 
follow if I am.




More information about the Snort-users mailing list