[Snort-users] Rule help with multiple port negation

Alberto Gonzalez ag-snort at ...7149...
Wed Oct 16 19:13:02 EDT 2002


Im assuming you want to log _EVERYTHING_ except whats headed to dst port 
80,443,110 right?
in your example you have that them as your 'src' port. on the left hand 
side of the direction operator
you could try port negation via 'ranges' like so !80:443  only a handful 
of services run in between..
but you would probably MISS alot....

I know you can specify multiple IP address via [x.x.x.x/32,x.x.x.x/32]
I checked the manual, i only saw port negation via ranges.. not multiple 
"!" ...
I could be wrong, tell me if I am.. take care

hope it helps ( wee 2 cents free )
   
    - Albert

McKim, Tim wrote:

>I want to create a rule that ignores three ports but alerts on everything
>else. 
>
>
>Something like 
>
>alert tcp !$HOME_NET (!80 && !443 && !110) -> $HOME_NET any ..........
>
>I just haven't been able to find what the correct syntax is or if it is even
>possible. If anyone knows how to do this I would appreciate the help.
>
>Thanks, 
>
>Tim 
>
>
>  
>
-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list