[Snort-users] Rule help with multiple port negation
ag-snort at ...7149...
Wed Oct 16 19:13:02 EDT 2002
Im assuming you want to log _EVERYTHING_ except whats headed to dst port
in your example you have that them as your 'src' port. on the left hand
side of the direction operator
you could try port negation via 'ranges' like so !80:443 only a handful
of services run in between..
but you would probably MISS alot....
I know you can specify multiple IP address via [x.x.x.x/32,x.x.x.x/32]
I checked the manual, i only saw port negation via ranges.. not multiple
I could be wrong, tell me if I am.. take care
hope it helps ( wee 2 cents free )
McKim, Tim wrote:
>I want to create a rule that ignores three ports but alerts on everything
>alert tcp !$HOME_NET (!80 && !443 && !110) -> $HOME_NET any ..........
>I just haven't been able to find what the correct syntax is or if it is even
>possible. If anyone knows how to do this I would appreciate the help.
The secret to success is to start from scratch and keep on scratching.
More information about the Snort-users