[Snort-users] How to Craft a rule that negates multiple ports??

Alan_Kloster at ...5598... Alan_Kloster at ...5598...
Wed May 29 07:22:03 EDT 2002

I have been trying to craft a rule that will negate traffic coming from
ports 80 and 443.  Specifically the rule for "DOS MSDTC attempt", which
seems to generate an inordinate amount of false positives.  Using the
syntax ![80,443] or ![80, 443] or ![ 80 443] or !80 !443 or !80,!443
doesn't seem to work as the rules fail to load.  The "Guide to Writing
Snort Rules" mentions negation of single ports and port ranges, but not the
negation of multiple ports not in a range.   Also making two separate rules
doesn't work either, as the first rule alerts on port 80 successfully, but
the second rule doesn't appear to get applied as the traffic on port 443
doesn't alert.  I am using Snort 1.8.7.  Is this possible?

This rule won't load:

alert tcp $EXTERNAL_NET ![80,443] -> $HOME_NET 3372 (msg:"DOS MSDTC
attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
classtype:attempted-dos; sid:1408; rev:2;)May 28

More information about the Snort-users mailing list