[Snort-users] Negation while still using source ports.

Vjay LaRosa vjayl at ...3331...
Mon Sep 10 14:30:03 EDT 2001


Hello,

I have been fooling around with this rule all day and I was wondering if
some one could be so kind as to help me out. I want to ignore my DNS
servers in this alert. Here is the rule.


alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
(msg:"MISC TCP source port 53 to <1024"; flags:S;
reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)

When I take out the source port it seems to work. Is there another way I
should be doing this?
Thanks!

vjl

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010910/5050f300/attachment.html>


More information about the Snort-users mailing list