[Snort-users] How to Craft a rule that negates multiple ports??

Michael Scheidell scheidell at ...5171...
Wed May 29 08:15:04 EDT 2002


> 
> This rule won't load:
> 
> alert tcp $EXTERNAL_NET ![80,443] -> $HOME_NET 3372 (msg:"DOS MSDTC
> attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
> classtype:attempted-dos; sid:1408; rev:2;)May 28

what traffic, coming in from ports 81-442 would you miss?

> alert tcp $EXTERNAL_NET !80:443 -> $HOME_NET 3372 (msg:"DOS MSDTC
> attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
> classtype:attempted-dos; sid:1408; rev:2;)

add in

 alert tcp $EXTERNAL_NET 81:442 -> $HOME_NET 3372 (msg:"DOS MSDTC
 attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
 classtype:attempted-dos; sid:1408; rev:2;)

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net/





More information about the Snort-users mailing list