[Snort-users] Negation while still using source ports.

Phil Wood cpw at ...440...
Mon Sep 10 16:15:02 EDT 2001


On Mon, Sep 10, 2001 at 05:28:49PM -0400, Vjay LaRosa wrote:
> Hello,
> 
> I have been fooling around with this rule all day and I was wondering if
> some one could be so kind as to help me out. I want to ignore my DNS
> servers in this alert. Here is the rule.
> 
> 
> alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
                                      ^

That space breaks the parsing.  You might get away with:

             ![$HOME_NET,X.X.X.X,XXX.XXX.XXX.XXX] 53 -> $HOME_NET :1023

> (msg:"MISC TCP source port 53 to <1024"; flags:S;
> reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
> 
> When I take out the source port it seems to work. Is there another way I
> should be doing this?
> Thanks!
> 
> vjl
> 
> --
>  V.Jay LaRosa                           EMC Corporation
>  Systems Administrator                  171 South Street
>  (508)435-1000 ext 14957                Hopkinton, MA 01748
>  (508)497-8082 fax                      www.emc.com
> 
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list