[Snort-users] newbie-writing rules help
erek at ...577...
Mon Jul 22 14:15:12 EDT 2002
On Mon, 22 Jul 2002, charella constansia wrote:
> I hav a question! I'm a newbie so maybe this sounds
> like a stupid question to you but please help me.
> I want to write some rules.
> I problem is that I have a server and only certain
> activities are allowed.
> For example only traffic from the outside going to
> port :80,23,8000,8001,8002 and a few more are allowed.
> How must I define this;
> I thought of:
> alert tcp any anu -> any 1[80,23,8000,8001,8002]
> Is this good. I looked in the Snort users manual but I
> couldn't find the answer.
If I'm correct you meant to write:
alert tcp any any -> any ![80,23,8000,8001,8002] (msg:"Er";)
If so... Sorry, that won't work. Snort does not handle port lists at the
moment, so you can't use a list of any sort to define that.
Now, keep in mind snort will only 'alert' you. It's not a firewall or a
packet filter. There are other programs that you should use if that's what
you want to do.
More information about the Snort-users