[Snort-users] Negation while still using source ports.

Dragos Ruiu dr at ...381...
Mon Sep 10 15:30:03 EDT 2001


What you're trying to do is a little beyond snort's address lists.

Your rule is actually providing an extra field to the snort rule parser that is
confusing it.  Try using just the negated address list and not $EXTERNAL_NET.

cheers,
--dr

On Mon, 10 Sep 2001, Vjay LaRosa wrote:
> 
> Hello,
> 
> I have been fooling around with this rule all day and I was wondering if
> some one could be so kind as to help me out. I want to ignore my DNS
> servers in this alert. Here is the rule.
> 
> 
> alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
> (msg:"MISC TCP source port 53 to <1024"; flags:S;
> reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
> 
> When I take out the source port it seems to work. Is there another way I
> should be doing this?
> Thanks!
> 
> vjl
> 
> --
>  V.Jay LaRosa                           EMC Corporation
>  Systems Administrator                  171 South Street
>  (508)435-1000 ext 14957                Hopkinton, MA 01748
>  (508)497-8082 fax                      www.emc.com
> 
> 
> 

----------------------------------------
Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: 7bit
Content-Description: 
----------------------------------------

-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc




More information about the Snort-users mailing list