[Snort-users] Ignoring ports

Chris Green cmg at ...671...
Tue Nov 6 11:45:06 EST 2001


"Joshua Thomas" <thomasj at ...3870...> writes:

> How do I ignore arbirtary ports with out rewriting all the rules?
> For example, kazza runs on port 1214; how can I make all my rules not
> trigger on port 1214 traffic?

pcap filter of 'not tcp and port 1214 '

or

pass tcp any any <-> any 1214
along with using snort -o

Beware that this will open one for attacks due to clever attackers
using 1214 as a source port for the attack.

Someday, snort might be able to tell what kinda traffic it is and
possibly ignore it based on that.
-- 
Chris Green <cmg at ...671...>
"I'm beginning to think that my router may be confused."




More information about the Snort-users mailing list