[Snort-users] newbie-writing rules help

Erek Adams erek at ...577...
Mon Jul 22 14:15:12 EDT 2002

On Mon, 22 Jul 2002, charella constansia wrote:

> hai,
> I hav a question! I'm a newbie so maybe this sounds
> like a stupid question to you but please help me.
> I want to write some rules.
> I problem is that I have a server and only certain
> activities are allowed.
> For example only traffic from the outside going to
> port :80,23,8000,8001,8002 and a few more are allowed.
> How must I define this;
> I thought of:
> alert tcp any anu -> any 1[80,23,8000,8001,8002]
> (msg:"Er";)
> Is this good. I looked in the Snort users manual but I
> couldn't find the answer.

If I'm correct you meant to write:

	alert tcp any any -> any ![80,23,8000,8001,8002] (msg:"Er";)

If so...  Sorry, that won't work.  Snort does not handle port lists at the
moment, so you can't use a list of any sort to define that.

Now, keep in mind snort will only 'alert' you.  It's not a firewall or a
packet filter.  There are other programs that you should use if that's what
you want to do.


Erek Adams

More information about the Snort-users mailing list