[Snort-users] Negation while still using source ports.

Erek Adams erek at ...577...
Mon Sep 10 16:39:02 EDT 2001

On Mon, 10 Sep 2001, Vjay LaRosa wrote:

> I have been fooling around with this rule all day and I was wondering if
> some one could be so kind as to help me out. I want to ignore my DNS
> servers in this alert. Here is the rule.
> alert tcp ![X.X.X.X,XXX.XXX.XXX.XXX] $EXTERNAL_NET 53 -> $HOME_NET :1023
> (msg:"MISC TCP source port 53 to <1024"; flags:S;
> reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;)


As others have pointed out, this is not doable with the current rules parser.

Why don't you use a pass rule and then use the -o commandline option?
Something like:

pass udp $DNS_SERVERS 53 <> $HOME_NET any
pass tcp $DNS_SERVERS 53 <> $HOME_NET any

Or if worse comes to worse, you could use a BPF filter on the command line....

No warranty implied or intended.  :)

Erek Adams

