[Snort-users] Negation while still using source ports.
erek at ...577...
Mon Sep 10 16:39:02 EDT 2001
On Mon, 10 Sep 2001, Vjay LaRosa wrote:
> I have been fooling around with this rule all day and I was wondering if
> some one could be so kind as to help me out. I want to ignore my DNS
> servers in this alert. Here is the rule.
> alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
> (msg:"MISC TCP source port 53 to <1024"; flags:S;
> reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)
As others have pointed out, this is not doable with the current rules parser.
Why don't you use a pass rule and then use the -o commandline option?
pass udp $DNS_SERVERS 53 <> $HOME_NET any
pass tcp $DNS_SERVERS 53 <> $HOME_NET any
Or if worse comes to worse, you could use a BPF filter on the command line....
No warranty implied or intended. :)
More information about the Snort-users