[Snort-users] "All except" rules
Andrew R. Baker
andrewb at ...1150...
Thu Mar 22 11:16:24 EST 2001
You can do this with a set of pass rules and one alert rule.
Make sure that the pass rules are processed before the alert
rule. You can do this with either the -o switch on the
commandline or using the conf file command
config order: pass, alert
I think that is correct, I am working from memory...
Here are some rules that you could use:
pass tcp $OUTSIDE any -> $INSIDE 80 (flags: S;)
pass tcp $OUTSIDE any -> $INSIDE 110 (flags: S;)
# add whatever other services you don't want to alert on here.
alert tcp $OUTSIDE any -> $INSIDE any (msg: "TCP Connection Attempt";
Let me know if you have any more questions.
Johnathan Corgan wrote:
> Being new user to snort, I'm not quite up to speed on the rules language.
> However, I don't see how to program a rule that would trigger on "all
> destination ports except these specified well known ports".
> I'd like to log all tcp SYN attempts to any port that aren't in a well known
> list such as pop3, www, ftp, smtp, etc.
> Am I really, really missing something simple? Appropriate embarassment will
> follow if I am.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users