[Snort-users] multiple ports in rule

Bryan Irvine bryan.irvine at ...9066...
Wed Dec 17 10:20:02 EST 2003


I enabled checking of p2p rules, and this morning I had 8,500 alert of
p2p GNUTella GET, which turned out to all be to the mail server.

I look at the offending rule which looks like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
flow:to_server,established; content:"GET "; offset:0; depth:4;
classtype:misc-activity; sid:1432;  rev:3;)

Is there a way to specify not to use port 25 either?

ie [!80 !25] or something?

This is snort v 2.0.1 by the way.

--Bryan





More information about the Snort-users mailing list