[Snort-users] "All except" rules

Andrew R. Baker andrewb at ...1150...
Thu Mar 22 11:16:24 EST 2001


You can do this with a set of pass rules and one alert rule.
Make sure that the pass rules are processed before the alert
rule.  You can do this with either the -o switch on the 
commandline or using the conf file command

config order:	pass, alert

I think that is correct, I am working from memory... 

Here are some rules that you could use:

pass tcp $OUTSIDE any -> $INSIDE 80 (flags: S;)
pass tcp $OUTSIDE any -> $INSIDE 110 (flags: S;)
# add whatever other services you don't want to alert on here.

alert tcp $OUTSIDE any -> $INSIDE any (msg: "TCP Connection Attempt";
flags: S;)

Let me know if you have any more questions.

-A

Johnathan Corgan wrote:
> 
> Being new user to snort, I'm not quite up to speed on the rules language.
> However, I don't see how to program a rule that would trigger on "all
> destination ports except these specified well known ports".
> 
> I'd like to log all tcp SYN attempts to any port that aren't in a well known
> list such as pop3, www, ftp, smtp, etc.
> 
> Am I really, really missing something simple?  Appropriate embarassment will
> follow if I am.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list