[Snort-users] Negation while still using source ports.
cpw at ...440...
Mon Sep 10 16:15:02 EDT 2001
On Mon, Sep 10, 2001 at 05:28:49PM -0400, Vjay LaRosa wrote:
> I have been fooling around with this rule all day and I was wondering if
> some one could be so kind as to help me out. I want to ignore my DNS
> servers in this alert. Here is the rule.
> alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
That space breaks the parsing. You might get away with:
![$HOME_NET,X.X.X.X,XXX.XXX.XXX.XXX] 53 -> $HOME_NET :1023
> (msg:"MISC TCP source port 53 to <1024"; flags:S;
> reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
> When I take out the source port it seems to work. Is there another way I
> should be doing this?
> V.Jay LaRosa EMC Corporation
> Systems Administrator 171 South Street
> (508)435-1000 ext 14957 Hopkinton, MA 01748
> (508)497-8082 fax www.emc.com
Phil Wood, cpw at ...440...
More information about the Snort-users