[Snort-users] "All except" rules

shawn . moyer shawn at ...1184...
Thu Mar 22 11:48:33 EST 2001


Johnathan Corgan wrote:
> 
> Being new user to snort, I'm not quite up to speed on the rules language.
> However, I don't see how to program a rule that would trigger on "all
> destination ports except these specified well known ports".

In addition to what Andrew mentioned, you can also do this by !<port>,
i.e.

alert tcp $EXTERNAL_NET !80 <> $HOME_NET any (msg: "Non-http traffic!";)





--shawn


-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner




More information about the Snort-users mailing list